1 /*
2 * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26
27 package sun.security.ssl;
28
29 import java.io.*;
30 import java.nio.*;
31 import java.net.*;
32 import java.security.GeneralSecurityException;
33 import java.security.AccessController;
34 import java.security.AccessControlContext;
35 import java.security.PrivilegedAction;
36 import java.security.AlgorithmConstraints;
37 import java.util.*;
38 import java.util.concurrent.TimeUnit;
39 import java.util.concurrent.locks.ReentrantLock;
40 import java.util.function.BiFunction;
41
42 import javax.crypto.BadPaddingException;
43 import javax.net.ssl.*;
44
45 import jdk.internal.misc.JavaNetInetAddressAccess;
46 import jdk.internal.misc.SharedSecrets;
47
48 /**
49 * Implementation of an SSL socket. This is a normal connection type
50 * socket, implementing SSL over some lower level socket, such as TCP.
51 * Because it is layered over some lower level socket, it MUST override
52 * all default socket methods.
53 *
54 * <P> This API offers a non-traditional option for establishing SSL
55 * connections. You may first establish the connection directly, then pass
56 * that connection to the SSL socket constructor with a flag saying which
57 * role should be taken in the handshake protocol. (The two ends of the
58 * connection must not choose the same role!) This allows setup of SSL
59 * proxying or tunneling, and also allows the kind of "role reversal"
60 * that is required for most FTP data transfers.
61 *
62 * @see javax.net.ssl.SSLSocket
63 * @see SSLServerSocket
64 *
65 * @author David Brownell
66 */
67 public final class SSLSocketImpl extends BaseSSLSocketImpl {
68
69 /*
70 * ERROR HANDLING GUIDELINES
71 * (which exceptions to throw and catch and which not to throw and catch)
72 *
73 * . if there is an IOException (SocketException) when accessing the
74 * underlying Socket, pass it through
75 *
76 * . do not throw IOExceptions, throw SSLExceptions (or a subclass)
77 *
78 * . for internal errors (things that indicate a bug in JSSE or a
79 * grossly misconfigured J2RE), throw either an SSLException or
80 * a RuntimeException at your convenience.
81 *
82 * . handshaking code (Handshaker or HandshakeMessage) should generally
83 * pass through exceptions, but can handle them if they know what to
84 * do.
85 *
86 * . exception chaining should be used for all new code. If you happen
87 * to touch old code that does not use chaining, you should change it.
88 *
89 * . there is a top level exception handler that sits at all entry
90 * points from application code to SSLSocket read/write code. It
91 * makes sure that all errors are handled (see handleException()).
92 *
93 * . JSSE internal code should generally not call close(), call
94 * closeInternal().
95 */
96
97 /*
98 * There's a state machine associated with each connection, which
99 * among other roles serves to negotiate session changes.
100 *
101 * - START with constructor, until the TCP connection's around.
102 * - HANDSHAKE picks session parameters before allowing traffic.
103 * There are many substates due to sequencing requirements
104 * for handshake messages.
105 * - DATA may be transmitted.
106 * - RENEGOTIATE state allows concurrent data and handshaking
107 * traffic ("same" substates as HANDSHAKE), and terminates
108 * in selection of new session (and connection) parameters
109 * - ERROR state immediately precedes abortive disconnect.
110 * - SENT_CLOSE sent a close_notify to the peer. For layered,
111 * non-autoclose socket, must now read close_notify
112 * from peer before closing the connection. For nonlayered or
113 * non-autoclose socket, close connection and go onto
114 * cs_CLOSED state.
115 * - CLOSED after sending close_notify alert, & socket is closed.
116 * SSL connection objects are not reused.
117 * - APP_CLOSED once the application calls close(). Then it behaves like
118 * a closed socket, e.g.. getInputStream() throws an Exception.
119 *
120 * State affects what SSL record types may legally be sent:
121 *
122 * - Handshake ... only in HANDSHAKE and RENEGOTIATE states
123 * - App Data ... only in DATA and RENEGOTIATE states
124 * - Alert ... in HANDSHAKE, DATA, RENEGOTIATE
125 *
126 * Re what may be received: same as what may be sent, except that
127 * HandshakeRequest handshaking messages can come from servers even
128 * in the application data state, to request entry to RENEGOTIATE.
129 *
130 * The state machine within HANDSHAKE and RENEGOTIATE states controls
131 * the pending session, not the connection state, until the change
132 * cipher spec and "Finished" handshake messages are processed and
133 * make the "new" session become the current one.
134 *
135 * NOTE: details of the SMs always need to be nailed down better.
136 * The text above illustrates the core ideas.
137 *
138 * +---->-------+------>--------->-------+
139 * | | |
140 * <-----< ^ ^ <-----< v
141 *START>----->HANDSHAKE>----->DATA>----->RENEGOTIATE SENT_CLOSE
142 * v v v | |
143 * | | | | v
144 * +------------+---------------+ v ERROR
145 * | | |
146 * v | |
147 * ERROR>------>----->CLOSED<--------<----+-- +
148 * |
149 * v
150 * APP_CLOSED
151 *
152 * ALSO, note that the purpose of handshaking (renegotiation is
153 * included) is to assign a different, and perhaps new, session to
154 * the connection. The SSLv3 spec is a bit confusing on that new
155 * protocol feature.
156 */
157 private static final int cs_START = 0;
158 private static final int cs_HANDSHAKE = 1;
159 private static final int cs_DATA = 2;
160 private static final int cs_RENEGOTIATE = 3;
161 private static final int cs_ERROR = 4;
162 private static final int cs_SENT_CLOSE = 5;
163 private static final int cs_CLOSED = 6;
164 private static final int cs_APP_CLOSED = 7;
165
166 /*
167 * Drives the protocol state machine.
168 */
169 private volatile int connectionState;
170
171 /*
172 * Flag indicating if the next record we receive MUST be a Finished
173 * message. Temporarily set during the handshake to ensure that
174 * a change cipher spec message is followed by a finished message.
175 */
176 private boolean expectingFinished;
177
178 /*
179 * For improved diagnostics, we detail connection closure
180 * If the socket is closed (connectionState >= cs_ERROR),
181 * closeReason != null indicates if the socket was closed
182 * because of an error or because or normal shutdown.
183 */
184 private SSLException closeReason;
185
186 /*
187 * Per-connection private state that doesn't change when the
188 * session is changed.
189 */
190 private ClientAuthType doClientAuth =
191 ClientAuthType.CLIENT_AUTH_NONE;
192 private boolean roleIsServer;
193 private boolean enableSessionCreation = true;
194 private String host;
195 private boolean autoClose = true;
196 private AccessControlContext acc;
197
198 // The cipher suites enabled for use on this connection.
199 private CipherSuiteList enabledCipherSuites;
200
201 // The endpoint identification protocol
202 private String identificationProtocol = null;
203
204 // The cryptographic algorithm constraints
205 private AlgorithmConstraints algorithmConstraints = null;
206
207 // The server name indication and matchers
208 List<SNIServerName> serverNames =
209 Collections.<SNIServerName>emptyList();
210 Collection<SNIMatcher> sniMatchers =
211 Collections.<SNIMatcher>emptyList();
212
213 // Is the serverNames set to empty with SSLParameters.setServerNames()?
214 private boolean noSniExtension = false;
215
216 // Is the sniMatchers set to empty with SSLParameters.setSNIMatchers()?
217 private boolean noSniMatcher = false;
218
219 // Is the use of Certificate Authorities TLS extension enabled?
220 // Use variable getter method to query the value.
221 private boolean useCertificateAuthorities = false;
222
223 // Configured application protocol values
224 String[] applicationProtocols = new String[0];
225
226 // Negotiated application protocol value.
227 //
228 // The value under negotiation will be obtained from handshaker.
229 String applicationProtocol = null;
230
231 // Callback function that selects the application protocol value during
232 // the SSL/TLS handshake.
233 BiFunction<SSLSocket, List<String>, String> applicationProtocolSelector;
234
235 /*
236 * READ ME * READ ME * READ ME * READ ME * READ ME * READ ME *
237 * IMPORTANT STUFF TO UNDERSTANDING THE SYNCHRONIZATION ISSUES.
238 * READ ME * READ ME * READ ME * READ ME * READ ME * READ ME *
239 *
240 * There are several locks here.
241 *
242 * The primary lock is the per-instance lock used by
243 * synchronized(this) and the synchronized methods. It controls all
244 * access to things such as the connection state and variables which
245 * affect handshaking. If we are inside a synchronized method, we
246 * can access the state directly, otherwise, we must use the
247 * synchronized equivalents.
248 *
249 * The handshakeLock is used to ensure that only one thread performs
250 * the *complete initial* handshake. If someone is handshaking, any
251 * stray application or startHandshake() requests who find the
252 * connection state is cs_HANDSHAKE will stall on handshakeLock
253 * until handshaking is done. Once the handshake is done, we either
254 * succeeded or failed, but we can never go back to the cs_HANDSHAKE
255 * or cs_START state again.
256 *
257 * Note that the read/write() calls here in SSLSocketImpl are not
258 * obviously synchronized. In fact, it's very nonintuitive, and
259 * requires careful examination of code paths. Grab some coffee,
260 * and be careful with any code changes.
261 *
262 * There can be only three threads active at a time in the I/O
263 * subsection of this class.
264 * 1. startHandshake
265 * 2. AppInputStream
266 * 3. AppOutputStream
267 * One thread could call startHandshake().
268 * AppInputStream/AppOutputStream read() and write() calls are each
269 * synchronized on 'this' in their respective classes, so only one
270 * app. thread will be doing a SSLSocketImpl.read() or .write()'s at
271 * a time.
272 *
273 * If handshaking is required (state cs_HANDSHAKE), and
274 * getConnectionState() for some/all threads returns cs_HANDSHAKE,
275 * only one can grab the handshakeLock, and the rest will stall
276 * either on getConnectionState(), or on the handshakeLock if they
277 * happen to successfully race through the getConnectionState().
278 *
279 * If a writer is doing the initial handshaking, it must create a
280 * temporary reader to read the responses from the other side. As a
281 * side-effect, the writer's reader will have priority over any
282 * other reader. However, the writer's reader is not allowed to
283 * consume any application data. When handshakeLock is finally
284 * released, we either have a cs_DATA connection, or a
285 * cs_CLOSED/cs_ERROR socket.
286 *
287 * The writeLock is held while writing on a socket connection and
288 * also to protect the MAC and cipher for their direction. The
289 * writeLock is package private for Handshaker which holds it while
290 * writing the ChangeCipherSpec message.
291 *
292 * To avoid the problem of a thread trying to change operational
293 * modes on a socket while handshaking is going on, we synchronize
294 * on 'this'. If handshaking has not started yet, we tell the
295 * handshaker to change its mode. If handshaking has started,
296 * we simply store that request until the next pending session
297 * is created, at which time the new handshaker's state is set.
298 *
299 * The readLock is held during readRecord(), which is responsible
300 * for reading an SSLInputRecord, decrypting it, and processing it.
301 * The readLock ensures that these three steps are done atomically
302 * and that once started, no other thread can block on SSLInputRecord.read.
303 * This is necessary so that processing of close_notify alerts
304 * from the peer are handled properly.
305 */
306 private final Object handshakeLock = new Object();
307 final ReentrantLock writeLock = new ReentrantLock();
308 private final Object readLock = new Object();
309
310 InputRecord inputRecord;
311 OutputRecord outputRecord;
312
313 /*
314 * security parameters for secure renegotiation.
315 */
316 private boolean secureRenegotiation;
317 private byte[] clientVerifyData;
318 private byte[] serverVerifyData;
319
320 /*
321 * The authentication context holds all information used to establish
322 * who this end of the connection is (certificate chains, private keys,
323 * etc) and who is trusted (e.g. as CAs or websites).
324 */
325 private SSLContextImpl sslContext;
326
327
328 /*
329 * This connection is one of (potentially) many associated with
330 * any given session. The output of the handshake protocol is a
331 * new session ... although all the protocol description talks
332 * about changing the cipher spec (and it does change), in fact
333 * that's incidental since it's done by changing everything that
334 * is associated with a session at the same time. (TLS/IETF may
335 * change that to add client authentication w/o new key exchg.)
336 */
337 private Handshaker handshaker;
338 private SSLSessionImpl sess;
339 private volatile SSLSessionImpl handshakeSession;
340
341
342 /*
343 * If anyone wants to get notified about handshake completions,
344 * they'll show up on this list.
345 */
346 private HashMap<HandshakeCompletedListener, AccessControlContext>
347 handshakeListeners;
348
349 /*
350 * Reuse the same internal input/output streams.
351 */
352 private InputStream sockInput;
353 private OutputStream sockOutput;
354
355
356 /*
357 * These input and output streams block their data in SSL records,
358 * and usually arrange integrity and privacy protection for those
359 * records. The guts of the SSL protocol are wrapped up in these
360 * streams, and in the handshaking that establishes the details of
361 * that integrity and privacy protection.
362 */
363 private AppInputStream input;
364 private AppOutputStream output;
365
366 /*
367 * The protocol versions enabled for use on this connection.
368 *
369 * Note: we support a pseudo protocol called SSLv2Hello which when
370 * set will result in an SSL v2 Hello being sent with SSL (version 3.0)
371 * or TLS (version 3.1, 3.2, etc.) version info.
372 */
373 private ProtocolList enabledProtocols;
374
375 /*
376 * The SSL version associated with this connection.
377 */
378 private ProtocolVersion protocolVersion = ProtocolVersion.DEFAULT_TLS;
379
380 /* Class and subclass dynamic debugging support */
381 private static final Debug debug = Debug.getInstance("ssl");
382
383 /*
384 * Whether local cipher suites preference in server side should be
385 * honored during handshaking?
386 */
387 private boolean preferLocalCipherSuites = false;
388
389 /*
390 * The maximum expected network packet size for SSL/TLS/DTLS records.
391 */
392 private int maximumPacketSize = 0;
393
394 /*
395 * Is the local name service trustworthy?
396 *
397 * If the local name service is not trustworthy, reverse host name
398 * resolution should not be performed for endpoint identification.
399 */
400 static final boolean trustNameService =
401 Debug.getBooleanProperty("jdk.tls.trustNameService", false);
402
403 //
404 // CONSTRUCTORS AND INITIALIZATION CODE
405 //
406
407 /**
408 * Constructs an SSL connection to a named host at a specified port,
409 * using the authentication context provided. This endpoint acts as
410 * the client, and may rejoin an existing SSL session if appropriate.
411 *
412 * @param context authentication context to use
413 * @param host name of the host with which to connect
414 * @param port number of the server's port
415 */
416 SSLSocketImpl(SSLContextImpl context, String host, int port)
417 throws IOException, UnknownHostException {
418 super();
419 this.host = host;
420 this.serverNames =
421 Utilities.addToSNIServerNameList(this.serverNames, this.host);
422 init(context, false);
423 SocketAddress socketAddress =
424 host != null ? new InetSocketAddress(host, port) :
425 new InetSocketAddress(InetAddress.getByName(null), port);
426 connect(socketAddress, 0);
427 }
428
429
430 /**
431 * Constructs an SSL connection to a server at a specified address.
432 * and TCP port, using the authentication context provided. This
433 * endpoint acts as the client, and may rejoin an existing SSL session
434 * if appropriate.
435 *
436 * @param context authentication context to use
437 * @param address the server's host
438 * @param port its port
439 */
440 SSLSocketImpl(SSLContextImpl context, InetAddress host, int port)
441 throws IOException {
442 super();
443 init(context, false);
444 SocketAddress socketAddress = new InetSocketAddress(host, port);
445 connect(socketAddress, 0);
446 }
447
448 /**
449 * Constructs an SSL connection to a named host at a specified port,
450 * using the authentication context provided. This endpoint acts as
451 * the client, and may rejoin an existing SSL session if appropriate.
452 *
453 * @param context authentication context to use
454 * @param host name of the host with which to connect
455 * @param port number of the server's port
456 * @param localAddr the local address the socket is bound to
457 * @param localPort the local port the socket is bound to
458 */
459 SSLSocketImpl(SSLContextImpl context, String host, int port,
460 InetAddress localAddr, int localPort)
461 throws IOException, UnknownHostException {
462 super();
463 this.host = host;
464 this.serverNames =
465 Utilities.addToSNIServerNameList(this.serverNames, this.host);
466 init(context, false);
467 bind(new InetSocketAddress(localAddr, localPort));
468 SocketAddress socketAddress =
469 host != null ? new InetSocketAddress(host, port) :
470 new InetSocketAddress(InetAddress.getByName(null), port);
471 connect(socketAddress, 0);
472 }
473
474
475 /**
476 * Constructs an SSL connection to a server at a specified address.
477 * and TCP port, using the authentication context provided. This
478 * endpoint acts as the client, and may rejoin an existing SSL session
479 * if appropriate.
480 *
481 * @param context authentication context to use
482 * @param address the server's host
483 * @param port its port
484 * @param localAddr the local address the socket is bound to
485 * @param localPort the local port the socket is bound to
486 */
487 SSLSocketImpl(SSLContextImpl context, InetAddress host, int port,
488 InetAddress localAddr, int localPort)
489 throws IOException {
490 super();
491 init(context, false);
492 bind(new InetSocketAddress(localAddr, localPort));
493 SocketAddress socketAddress = new InetSocketAddress(host, port);
494 connect(socketAddress, 0);
495 }
496
497 /*
498 * Package-private constructor used ONLY by SSLServerSocket. The
499 * java.net package accepts the TCP connection after this call is
500 * made. This just initializes handshake state to use "server mode",
501 * giving control over the use of SSL client authentication.
502 */
503 SSLSocketImpl(SSLContextImpl context, boolean serverMode,
504 CipherSuiteList suites, ClientAuthType clientAuth,
505 boolean sessionCreation, ProtocolList protocols,
506 String identificationProtocol,
507 AlgorithmConstraints algorithmConstraints,
508 Collection<SNIMatcher> sniMatchers,
509 boolean preferLocalCipherSuites,
510 String[] applicationProtocols) throws IOException {
511
512 super();
513 doClientAuth = clientAuth;
514 enableSessionCreation = sessionCreation;
515 this.identificationProtocol = identificationProtocol;
516 this.algorithmConstraints = algorithmConstraints;
517 this.sniMatchers = sniMatchers;
518 this.preferLocalCipherSuites = preferLocalCipherSuites;
519 this.applicationProtocols = applicationProtocols;
520 init(context, serverMode);
521
522 /*
523 * Override what was picked out for us.
524 */
525 enabledCipherSuites = suites;
526 enabledProtocols = protocols;
527 }
528
529
530 /**
531 * Package-private constructor used to instantiate an unconnected
532 * socket. The java.net package will connect it, either when the
533 * connect() call is made by the application. This instance is
534 * meant to set handshake state to use "client mode".
535 */
536 SSLSocketImpl(SSLContextImpl context) {
537 super();
538 init(context, false);
539 }
540
541
542 /**
543 * Layer SSL traffic over an existing connection, rather than creating
544 * a new connection. The existing connection may be used only for SSL
545 * traffic (using this SSLSocket) until the SSLSocket.close() call
546 * returns. However, if a protocol error is detected, that existing
547 * connection is automatically closed.
548 *
549 * <P> This particular constructor always uses the socket in the
550 * role of an SSL client. It may be useful in cases which start
551 * using SSL after some initial data transfers, for example in some
552 * SSL tunneling applications or as part of some kinds of application
553 * protocols which negotiate use of a SSL based security.
554 *
555 * @param sock the existing connection
556 * @param context the authentication context to use
557 */
558 SSLSocketImpl(SSLContextImpl context, Socket sock, String host,
559 int port, boolean autoClose) throws IOException {
560 super(sock);
561 // We always layer over a connected socket
562 if (!sock.isConnected()) {
563 throw new SocketException("Underlying socket is not connected");
564 }
565 this.host = host;
566 this.serverNames =
567 Utilities.addToSNIServerNameList(this.serverNames, this.host);
568 init(context, false);
569 this.autoClose = autoClose;
570 doneConnect();
571 }
572
573 /**
574 * Creates a server mode {@link Socket} layered over an
575 * existing connected socket, and is able to read data which has
576 * already been consumed/removed from the {@link Socket}'s
577 * underlying {@link InputStream}.
578 */
579 SSLSocketImpl(SSLContextImpl context, Socket sock,
580 InputStream consumed, boolean autoClose) throws IOException {
581 super(sock, consumed);
582 // We always layer over a connected socket
583 if (!sock.isConnected()) {
584 throw new SocketException("Underlying socket is not connected");
585 }
586
587 // In server mode, it is not necessary to set host and serverNames.
588 // Otherwise, would require a reverse DNS lookup to get the hostname.
589
590 init(context, true);
591 this.autoClose = autoClose;
592 doneConnect();
593 }
594
595 /**
596 * Initializes the client socket.
597 */
598 private void init(SSLContextImpl context, boolean isServer) {
599 sslContext = context;
600 sess = SSLSessionImpl.nullSession;
601 handshakeSession = null;
602
603 /*
604 * role is as specified, state is START until after
605 * the low level connection's established.
606 */
607 roleIsServer = isServer;
608 connectionState = cs_START;
609
610 // initial security parameters for secure renegotiation
611 secureRenegotiation = false;
612 clientVerifyData = new byte[0];
613 serverVerifyData = new byte[0];
614
615 enabledCipherSuites =
616 sslContext.getDefaultCipherSuiteList(roleIsServer);
617 enabledProtocols =
618 sslContext.getDefaultProtocolList(roleIsServer);
619
620 inputRecord = new SSLSocketInputRecord();;
621 outputRecord = new SSLSocketOutputRecord();
622
623 maximumPacketSize = outputRecord.getMaxPacketSize();
624
625 // save the acc
626 acc = AccessController.getContext();
627
628 input = new AppInputStream(this);
629 output = new AppOutputStream(this);
630 }
631
632 /**
633 * Connects this socket to the server with a specified timeout
634 * value.
635 *
636 * This method is either called on an unconnected SSLSocketImpl by the
637 * application, or it is called in the constructor of a regular
638 * SSLSocketImpl. If we are layering on top on another socket, then
639 * this method should not be called, because we assume that the
640 * underlying socket is already connected by the time it is passed to
641 * us.
642 *
643 * @param endpoint the <code>SocketAddress</code>
644 * @param timeout the timeout value to be used, 0 is no timeout
645 * @throws IOException if an error occurs during the connection
646 * @throws SocketTimeoutException if timeout expires before connecting
647 */
648 @Override
649 public void connect(SocketAddress endpoint, int timeout)
650 throws IOException {
651
652 if (isLayered()) {
653 throw new SocketException("Already connected");
654 }
655
656 if (!(endpoint instanceof InetSocketAddress)) {
657 throw new SocketException(
658 "Cannot handle non-Inet socket addresses.");
659 }
660
661 super.connect(endpoint, timeout);
662
663 if (host == null || host.length() == 0) {
664 useImplicitHost(false);
665 }
666
667 doneConnect();
668 }
669
670 /**
671 * Initialize the handshaker and socket streams.
672 *
673 * Called by connect, the layered constructor, and SSLServerSocket.
674 */
675 void doneConnect() throws IOException {
676 /*
677 * Save the input and output streams. May be done only after
678 * java.net actually connects using the socket "self", else
679 * we get some pretty bizarre failure modes.
680 */
681 sockInput = super.getInputStream();
682 sockOutput = super.getOutputStream();
683
684 inputRecord.setDeliverStream(sockOutput);
685 outputRecord.setDeliverStream(sockOutput);
686
687 /*
688 * Move to handshaking state, with pending session initialized
689 * to defaults and the appropriate kind of handshaker set up.
690 */
691 initHandshaker();
692 }
693
694 private synchronized int getConnectionState() {
695 return connectionState;
696 }
697
698 private synchronized void setConnectionState(int state) {
699 connectionState = state;
700 }
701
702 AccessControlContext getAcc() {
703 return acc;
704 }
705
706 //
707 // READING AND WRITING RECORDS
708 //
709
710 /*
711 * Application data record output.
712 *
713 * Application data can't be sent until the first handshake establishes
714 * a session.
715 */
716 void writeRecord(byte[] source, int offset, int length) throws IOException {
717 /*
718 * The loop is in case of HANDSHAKE --> ERROR transitions, etc
719 */
720 // Don't bother to check the emptiness of source applicatoin data
721 // before the security connection established.
722 for (boolean readyForApp = false; !readyForApp;) {
723 /*
724 * Not all states support passing application data. We
725 * synchronize access to the connection state, so that
726 * synchronous handshakes can complete cleanly.
727 */
728 switch (getConnectionState()) {
729
730 /*
731 * We've deferred the initial handshaking till just now,
732 * when presumably a thread's decided it's OK to block for
733 * longish periods of time for I/O purposes (as well as
734 * configured the cipher suites it wants to use).
735 */
736 case cs_HANDSHAKE:
737 performInitialHandshake();
738 break;
739
740 case cs_DATA:
741 case cs_RENEGOTIATE:
742 readyForApp = true;
743 break;
744
745 case cs_ERROR:
746 fatal(Alerts.alert_close_notify,
747 "error while writing to socket");
748 break; // dummy
749
750 case cs_SENT_CLOSE:
751 case cs_CLOSED:
752 case cs_APP_CLOSED:
753 // we should never get here (check in AppOutputStream)
754 // this is just a fallback
755 if (closeReason != null) {
756 throw closeReason;
757 } else {
758 throw new SocketException("Socket closed");
759 }
760
761 /*
762 * Else something's goofy in this state machine's use.
763 */
764 default:
765 throw new SSLProtocolException(
766 "State error, send app data");
767 }
768 }
769
770 //
771 // Don't bother to really write empty records. We went this
772 // far to drive the handshake machinery, for correctness; not
773 // writing empty records improves performance by cutting CPU
774 // time and network resource usage. However, some protocol
775 // implementations are fragile and don't like to see empty
776 // records, so this also increases robustness.
777 //
778 if (length > 0) {
779 IOException ioe = null;
780 byte description = 0; // 0: never used, make the compiler happy
781 writeLock.lock();
782 try {
783 outputRecord.deliver(source, offset, length);
784 } catch (SSLHandshakeException she) {
785 // may be record sequence number overflow
786 description = Alerts.alert_handshake_failure;
787 ioe = she;
788 } catch (IOException e) {
789 description = Alerts.alert_unexpected_message;
790 ioe = e;
791 } finally {
792 writeLock.unlock();
793 }
794
795 // Be care of deadlock. Please don't place the call to fatal()
796 // into the writeLock locked block.
797 if (ioe != null) {
798 fatal(description, ioe);
799 }
800 }
801
802 /*
803 * Check the sequence number state
804 *
805 * Note that in order to maintain the connection I/O
806 * properly, we check the sequence number after the last
807 * record writing process. As we request renegotiation
808 * or close the connection for wrapped sequence number
809 * when there is enough sequence number space left to
810 * handle a few more records, so the sequence number
811 * of the last record cannot be wrapped.
812 *
813 * Don't bother to kickstart the renegotiation when the
814 * local is asking for it.
815 */
816 if ((connectionState == cs_DATA) && outputRecord.seqNumIsHuge()) {
817 /*
818 * Ask for renegotiation when need to renew sequence number.
819 *
820 * Don't bother to kickstart the renegotiation when the local is
821 * asking for it.
822 */
823 if (debug != null && Debug.isOn("ssl")) {
824 System.out.println(Thread.currentThread().getName() +
825 ", request renegotiation " +
826 "to avoid sequence number overflow");
827 }
828
829 startHandshake();
830 }
831 }
832
833 /*
834 * Alert record output.
835 */
836 void writeAlert(byte level, byte description) throws IOException {
837
838 // If the record is a close notify alert, we need to honor
839 // socket option SO_LINGER. Note that we will try to send
840 // the close notify even if the SO_LINGER set to zero.
841 if ((description == Alerts.alert_close_notify) && getSoLinger() >= 0) {
842
843 // keep and clear the current thread interruption status.
844 boolean interrupted = Thread.interrupted();
845 try {
846 if (writeLock.tryLock(getSoLinger(), TimeUnit.SECONDS)) {
847 try {
848 outputRecord.encodeAlert(level, description);
849 } finally {
850 writeLock.unlock();
851 }
852 } else {
853 SSLException ssle = new SSLException(
854 "SO_LINGER timeout," +
855 " close_notify message cannot be sent.");
856
857
858 // For layered, non-autoclose sockets, we are not
859 // able to bring them into a usable state, so we
860 // treat it as fatal error.
861 if (isLayered() && !autoClose) {
862 // Note that the alert description is
863 // specified as -1, so no message will be send
864 // to peer anymore.
865 fatal((byte)(-1), ssle);
866 } else if ((debug != null) && Debug.isOn("ssl")) {
867 System.out.println(
868 Thread.currentThread().getName() +
869 ", received Exception: " + ssle);
870 }
871
872 // RFC2246 requires that the session becomes
873 // unresumable if any connection is terminated
874 // without proper close_notify messages with
875 // level equal to warning.
876 //
877 // RFC4346 no longer requires that a session not be
878 // resumed if failure to properly close a connection.
879 //
880 // We choose to make the session unresumable if
881 // failed to send the close_notify message.
882 //
883 sess.invalidate();
884 }
885 } catch (InterruptedException ie) {
886 // keep interrupted status
887 interrupted = true;
888 }
889
890 // restore the interrupted status
891 if (interrupted) {
892 Thread.currentThread().interrupt();
893 }
894 } else {
895 writeLock.lock();
896 try {
897 outputRecord.encodeAlert(level, description);
898 } finally {
899 writeLock.unlock();
900 }
901 }
902
903 // Don't bother to check sequence number overlap here. If sequence
904 // number is huge, there should be enough sequence number space to
905 // request renegotiation in next application data read and write.
906 }
907
908
909 int bytesInCompletePacket() throws IOException {
910 if (getConnectionState() == cs_HANDSHAKE) {
911 performInitialHandshake();
912 }
913
914 synchronized (readLock) {
915 int state = getConnectionState();
916 if ((state == cs_CLOSED) ||
917 (state == cs_ERROR) || (state == cs_APP_CLOSED)) {
918 return -1;
919 }
920
921 try {
922 return inputRecord.bytesInCompletePacket(sockInput);
923 } catch (EOFException eofe) {
924 boolean handshaking = (connectionState <= cs_HANDSHAKE);
925 boolean rethrow = requireCloseNotify || handshaking;
926 if ((debug != null) && Debug.isOn("ssl")) {
927 System.out.println(Thread.currentThread().getName() +
928 ", received EOFException: "
929 + (rethrow ? "error" : "ignored"));
930 }
931
932 if (!rethrow) {
933 // treat as if we had received a close_notify
934 closeInternal(false);
935 } else {
936 SSLException e;
937 if (handshaking) {
938 e = new SSLHandshakeException(
939 "Remote host terminated the handshake");
940 } else {
941 e = new SSLProtocolException(
942 "Remote host terminated the handshake");
943 }
944 e.initCause(eofe);
945 throw e;
946 }
947 }
948
949 return -1;
950 }
951 }
952
953 // the caller have synchronized readLock
954 void expectingFinishFlight() {
955 inputRecord.expectingFinishFlight();
956 }
957
958 /*
959 * Read an application data record.
960 *
961 * Alerts and handshake messages are internally handled directly.
962 */
963 int readRecord(ByteBuffer buffer) throws IOException {
964 if (getConnectionState() == cs_HANDSHAKE) {
965 performInitialHandshake();
966 }
967
968 return readRecord(buffer, true);
969 }
970
971 /*
972 * Read a record, no application data input required.
973 *
974 * Alerts and handshake messages are internally handled directly.
975 */
976 int readRecord(boolean needAppData) throws IOException {
977 return readRecord(null, needAppData);
978 }
979
980 /*
981 * Clear the pipeline of records from the peer, optionally returning
982 * application data. Caller is responsible for knowing that it's
983 * possible to do this kind of clearing, if they don't want app
984 * data -- e.g. since it's the initial SSL handshake.
985 *
986 * Don't synchronize (this) during a blocking read() since it
987 * protects data which is accessed on the write side as well.
988 */
989 private int readRecord(ByteBuffer buffer, boolean needAppData)
990 throws IOException {
991 int state;
992
993 // readLock protects reading and processing of an SSLInputRecord.
994 // It keeps the reading from sockInput and processing of the record
995 // atomic so that no two threads can be blocked on the
996 // read from the same input stream at the same time.
997 // This is required for example when a reader thread is
998 // blocked on the read and another thread is trying to
999 // close the socket. For a non-autoclose, layered socket,
1000 // the thread performing the close needs to read the close_notify.
1001 //
1002 // Use readLock instead of 'this' for locking because
1003 // 'this' also protects data accessed during writing.
1004 synchronized (readLock) {
1005 /*
1006 * Read and handle records ... return application data
1007 * ONLY if it's needed.
1008 */
1009 Plaintext plainText = null;
1010 while (((state = getConnectionState()) != cs_CLOSED) &&
1011 (state != cs_ERROR) && (state != cs_APP_CLOSED)) {
1012
1013 /*
1014 * clean the buffer and check if it is too small, e.g. because
1015 * the AppInputStream did not have the chance to see the
1016 * current packet length but rather something like that of the
1017 * handshake before. In that case we return 0 at this point to
1018 * give the caller the chance to adjust the buffer.
1019 */
1020 if (buffer != null) {
1021 buffer.clear();
1022
1023 if (buffer.remaining() <
1024 inputRecord.bytesInCompletePacket(sockInput)) {
1025 return 0;
1026 }
1027 }
1028
1029 /*
1030 * Read a record ... maybe emitting an alert if we get a
1031 * comprehensible but unsupported "hello" message during
1032 * format checking (e.g. V2).
1033 */
1034 try {
1035 plainText = inputRecord.decode(sockInput, buffer);
1036 } catch (BadPaddingException bpe) {
1037 byte alertType = (state != cs_DATA) ?
1038 Alerts.alert_handshake_failure :
1039 Alerts.alert_bad_record_mac;
1040 fatal(alertType, bpe.getMessage(), bpe);
1041 } catch (SSLProtocolException spe) {
1042 try {
1043 fatal(Alerts.alert_unexpected_message, spe);
1044 } catch (IOException x) {
1045 // discard this exception, throw the original exception
1046 }
1047 throw spe;
1048 } catch (SSLHandshakeException she) {
1049 // may be record sequence number overflow
1050 fatal(Alerts.alert_handshake_failure, she);
1051 } catch (EOFException eof) {
1052 boolean handshaking = (connectionState <= cs_HANDSHAKE);
1053 boolean rethrow = requireCloseNotify || handshaking;
1054 if ((debug != null) && Debug.isOn("ssl")) {
1055 System.out.println(Thread.currentThread().getName() +
1056 ", received EOFException: "
1057 + (rethrow ? "error" : "ignored"));
1058 }
1059 if (rethrow) {
1060 SSLException e;
1061 if (handshaking) {
1062 e = new SSLHandshakeException(
1063 "Remote host terminated the handshake");
1064 } else {
1065 e = new SSLProtocolException(
1066 "Remote host terminated the connection");
1067 }
1068 e.initCause(eof);
1069 throw e;
1070 } else {
1071 // treat as if we had received a close_notify
1072 closeInternal(false);
1073 continue;
1074 }
1075 }
1076
1077 // PlainText should never be null. Process input record.
1078 int volume = processInputRecord(plainText, needAppData);
1079
1080 if (plainText.contentType == Record.ct_application_data) {
1081 return volume;
1082 }
1083
1084 if (plainText.contentType == Record.ct_handshake) {
1085 if (!needAppData && connectionState == cs_DATA) {
1086 return volume;
1087 } // otherwise, need to read more for app data.
1088 }
1089
1090 // continue to read more net data
1091 } // while
1092
1093 //
1094 // couldn't read, due to some kind of error
1095 //
1096 return -1;
1097 } // readLock synchronization
1098 }
1099
1100 /*
1101 * Process the plainText input record.
1102 */
1103 private synchronized int processInputRecord(
1104 Plaintext plainText, boolean needAppData) throws IOException {
1105
1106 /*
1107 * Process the record.
1108 */
1109 int volume = 0; // no application data
1110 switch (plainText.contentType) {
1111 case Record.ct_handshake:
1112 /*
1113 * Handshake messages always go to a pending session
1114 * handshaker ... if there isn't one, create one. This
1115 * must work asynchronously, for renegotiation.
1116 *
1117 * NOTE that handshaking will either resume a session
1118 * which was in the cache (and which might have other
1119 * connections in it already), or else will start a new
1120 * session (new keys exchanged) with just this connection
1121 * in it.
1122 */
1123 initHandshaker();
1124 if (!handshaker.activated()) {
1125 // prior to handshaking, activate the handshake
1126 if (connectionState == cs_RENEGOTIATE) {
1127 // don't use SSLv2Hello when renegotiating
1128 handshaker.activate(protocolVersion);
1129 } else {
1130 handshaker.activate(null);
1131 }
1132 }
1133
1134 /*
1135 * process the handshake record ... may contain just
1136 * a partial handshake message or multiple messages.
1137 *
1138 * The handshaker state machine will ensure that it's
1139 * a finished message.
1140 */
1141 handshaker.processRecord(plainText.fragment, expectingFinished);
1142 expectingFinished = false;
1143
1144 if (handshaker.invalidated) {
1145 handshaker = null;
1146 inputRecord.setHandshakeHash(null);
1147 outputRecord.setHandshakeHash(null);
1148
1149 // if state is cs_RENEGOTIATE, revert it to cs_DATA
1150 if (connectionState == cs_RENEGOTIATE) {
1151 connectionState = cs_DATA;
1152 }
1153 } else if (handshaker.isDone()) {
1154 // reset the parameters for secure renegotiation.
1155 secureRenegotiation =
1156 handshaker.isSecureRenegotiation();
1157 clientVerifyData = handshaker.getClientVerifyData();
1158 serverVerifyData = handshaker.getServerVerifyData();
1159 // set connection ALPN value
1160 applicationProtocol =
1161 handshaker.getHandshakeApplicationProtocol();
1162
1163 sess = handshaker.getSession();
1164 handshakeSession = null;
1165 handshaker = null;
1166 inputRecord.setHandshakeHash(null);
1167 outputRecord.setHandshakeHash(null);
1168 connectionState = cs_DATA;
1169
1170 //
1171 // Tell folk about handshake completion, but do
1172 // it in a separate thread.
1173 //
1174 if (handshakeListeners != null) {
1175 HandshakeCompletedEvent event =
1176 new HandshakeCompletedEvent(this, sess);
1177
1178 Thread thread = new Thread(
1179 null,
1180 new NotifyHandshake(
1181 handshakeListeners.entrySet(), event),
1182 "HandshakeCompletedNotify-Thread",
1183 0,
1184 false);
1185 thread.start();
1186 }
1187 }
1188
1189 break;
1190
1191 case Record.ct_application_data:
1192 if (connectionState != cs_DATA
1193 && connectionState != cs_RENEGOTIATE
1194 && connectionState != cs_SENT_CLOSE) {
1195 throw new SSLProtocolException(
1196 "Data received in non-data state: " +
1197 connectionState);
1198 }
1199 if (expectingFinished) {
1200 throw new SSLProtocolException
1201 ("Expecting finished message, received data");
1202 }
1203 if (!needAppData) {
1204 throw new SSLException("Discarding app data");
1205 }
1206
1207 volume = plainText.fragment.remaining();
1208 break;
1209
1210 case Record.ct_alert:
1211 recvAlert(plainText.fragment);
1212 break;
1213
1214 case Record.ct_change_cipher_spec:
1215 if ((connectionState != cs_HANDSHAKE
1216 && connectionState != cs_RENEGOTIATE)) {
1217 // For the CCS message arriving in the wrong state
1218 fatal(Alerts.alert_unexpected_message,
1219 "illegal change cipher spec msg, conn state = "
1220 + connectionState);
1221 } else if (plainText.fragment.remaining() != 1
1222 || plainText.fragment.get() != 1) {
1223 // For structural/content issues with the CCS
1224 fatal(Alerts.alert_unexpected_message,
1225 "Malformed change cipher spec msg");
1226 }
1227
1228 //
1229 // The first message after a change_cipher_spec
1230 // record MUST be a "Finished" handshake record,
1231 // else it's a protocol violation. We force this
1232 // to be checked by a minor tweak to the state
1233 // machine.
1234 //
1235 handshaker.receiveChangeCipherSpec();
1236
1237 CipherBox readCipher;
1238 Authenticator readAuthenticator;
1239 try {
1240 readCipher = handshaker.newReadCipher();
1241 readAuthenticator = handshaker.newReadAuthenticator();
1242 } catch (GeneralSecurityException e) {
1243 // can't happen
1244 throw new SSLException("Algorithm missing: ", e);
1245 }
1246 inputRecord.changeReadCiphers(readAuthenticator, readCipher);
1247
1248 // next message MUST be a finished message
1249 expectingFinished = true;
1250
1251 break;
1252
1253 default:
1254 //
1255 // TLS requires that unrecognized records be ignored.
1256 //
1257 if (debug != null && Debug.isOn("ssl")) {
1258 System.out.println(Thread.currentThread().getName() +
1259 ", Received record type: " + plainText.contentType);
1260 }
1261 break;
1262 }
1263
1264 /*
1265 * Check the sequence number state
1266 *
1267 * Note that in order to maintain the connection I/O
1268 * properly, we check the sequence number after the last
1269 * record reading process. As we request renegotiation
1270 * or close the connection for wrapped sequence number
1271 * when there is enough sequence number space left to
1272 * handle a few more records, so the sequence number
1273 * of the last record cannot be wrapped.
1274 *
1275 * Don't bother to kickstart the renegotiation when the
1276 * local is asking for it.
1277 */
1278 if ((connectionState == cs_DATA) && inputRecord.seqNumIsHuge()) {
1279 /*
1280 * Ask for renegotiation when need to renew sequence number.
1281 *
1282 * Don't bother to kickstart the renegotiation when the local is
1283 * asking for it.
1284 */
1285 if (debug != null && Debug.isOn("ssl")) {
1286 System.out.println(Thread.currentThread().getName() +
1287 ", request renegotiation " +
1288 "to avoid sequence number overflow");
1289 }
1290
1291 startHandshake();
1292 }
1293
1294 return volume;
1295 }
1296
1297
1298 //
1299 // HANDSHAKE RELATED CODE
1300 //
1301
1302 /**
1303 * Return the AppInputStream. For use by Handshaker only.
1304 */
1305 AppInputStream getAppInputStream() {
1306 return input;
1307 }
1308
1309 /**
1310 * Return the AppOutputStream. For use by Handshaker only.
1311 */
1312 AppOutputStream getAppOutputStream() {
1313 return output;
1314 }
1315
1316 /**
1317 * Initialize the handshaker object. This means:
1318 *
1319 * . if a handshake is already in progress (state is cs_HANDSHAKE
1320 * or cs_RENEGOTIATE), do nothing and return
1321 *
1322 * . if the socket is already closed, throw an Exception (internal error)
1323 *
1324 * . otherwise (cs_START or cs_DATA), create the appropriate handshaker
1325 * object, and advance the connection state (to cs_HANDSHAKE or
1326 * cs_RENEGOTIATE, respectively).
1327 *
1328 * This method is called right after a new socket is created, when
1329 * starting renegotiation, or when changing client/ server mode of the
1330 * socket.
1331 */
1332 private void initHandshaker() {
1333 switch (connectionState) {
1334
1335 //
1336 // Starting a new handshake.
1337 //
1338 case cs_START:
1339 case cs_DATA:
1340 break;
1341
1342 //
1343 // We're already in the middle of a handshake.
1344 //
1345 case cs_HANDSHAKE:
1346 case cs_RENEGOTIATE:
1347 return;
1348
1349 //
1350 // Anyone allowed to call this routine is required to
1351 // do so ONLY if the connection state is reasonable...
1352 //
1353 default:
1354 throw new IllegalStateException("Internal error");
1355 }
1356
1357 // state is either cs_START or cs_DATA
1358 if (connectionState == cs_START) {
1359 connectionState = cs_HANDSHAKE;
1360 } else { // cs_DATA
1361 connectionState = cs_RENEGOTIATE;
1362 }
1363
1364 if (roleIsServer) {
1365 handshaker = new ServerHandshaker(this, sslContext,
1366 enabledProtocols, doClientAuth,
1367 protocolVersion, connectionState == cs_HANDSHAKE,
1368 secureRenegotiation, clientVerifyData, serverVerifyData);
1369 handshaker.setSNIMatchers(sniMatchers);
1370 handshaker.setUseCipherSuitesOrder(preferLocalCipherSuites);
1371 } else {
1372 handshaker = new ClientHandshaker(this, sslContext,
1373 enabledProtocols,
1374 protocolVersion, connectionState == cs_HANDSHAKE,
1375 secureRenegotiation, clientVerifyData, serverVerifyData);
1376 handshaker.setSNIServerNames(serverNames);
1377 }
1378 handshaker.setMaximumPacketSize(maximumPacketSize);
1379 handshaker.setEnabledCipherSuites(enabledCipherSuites);
1380 handshaker.setEnableSessionCreation(enableSessionCreation);
1381 handshaker.setApplicationProtocols(applicationProtocols);
1382 handshaker.setApplicationProtocolSelectorSSLSocket(
1383 applicationProtocolSelector);
1384 }
1385
1386 /**
1387 * Synchronously perform the initial handshake.
1388 *
1389 * If the handshake is already in progress, this method blocks until it
1390 * is completed. If the initial handshake has already been completed,
1391 * it returns immediately.
1392 */
1393 private void performInitialHandshake() throws IOException {
1394 // use handshakeLock and the state check to make sure only
1395 // one thread performs the handshake
1396 synchronized (handshakeLock) {
1397 if (getConnectionState() == cs_HANDSHAKE) {
1398 kickstartHandshake();
1399
1400 /*
1401 * All initial handshaking goes through this operation
1402 * until we have a valid SSL connection.
1403 *
1404 * Handle handshake messages only, need no application data.
1405 */
1406 readRecord(false);
1407 }
1408 }
1409 }
1410
1411 /**
1412 * Starts an SSL handshake on this connection.
1413 */
1414 @Override
1415 public void startHandshake() throws IOException {
1416 // start an ssl handshake that could be resumed from timeout exception
1417 startHandshake(true);
1418 }
1419
1420 /**
1421 * Starts an ssl handshake on this connection.
1422 *
1423 * @param resumable indicates the handshake process is resumable from a
1424 * certain exception. If <code>resumable</code>, the socket will
1425 * be reserved for exceptions like timeout; otherwise, the socket
1426 * will be closed, no further communications could be done.
1427 */
1428 private void startHandshake(boolean resumable) throws IOException {
1429 checkWrite();
1430 try {
1431 if (getConnectionState() == cs_HANDSHAKE) {
1432 // do initial handshake
1433 performInitialHandshake();
1434 } else {
1435 // start renegotiation
1436 kickstartHandshake();
1437 }
1438 } catch (Exception e) {
1439 // shutdown and rethrow (wrapped) exception as appropriate
1440 handleException(e, resumable);
1441 }
1442 }
1443
1444 /**
1445 * Kickstart the handshake if it is not already in progress.
1446 * This means:
1447 *
1448 * . if handshaking is already underway, do nothing and return
1449 *
1450 * . if the socket is not connected or already closed, throw an
1451 * Exception.
1452 *
1453 * . otherwise, call initHandshake() to initialize the handshaker
1454 * object and progress the state. Then, send the initial
1455 * handshaking message if appropriate (always on clients and
1456 * on servers when renegotiating).
1457 */
1458 private synchronized void kickstartHandshake() throws IOException {
1459
1460 switch (connectionState) {
1461
1462 case cs_HANDSHAKE:
1463 // handshaker already setup, proceed
1464 break;
1465
1466 case cs_DATA:
1467 if (!secureRenegotiation && !Handshaker.allowUnsafeRenegotiation) {
1468 throw new SSLHandshakeException(
1469 "Insecure renegotiation is not allowed");
1470 }
1471
1472 if (!secureRenegotiation) {
1473 if (debug != null && Debug.isOn("handshake")) {
1474 System.out.println(
1475 "Warning: Using insecure renegotiation");
1476 }
1477 }
1478
1479 // initialize the handshaker, move to cs_RENEGOTIATE
1480 initHandshaker();
1481 break;
1482
1483 case cs_RENEGOTIATE:
1484 // handshaking already in progress, return
1485 return;
1486
1487 /*
1488 * The only way to get a socket in the state is when
1489 * you have an unconnected socket.
1490 */
1491 case cs_START:
1492 throw new SocketException(
1493 "handshaking attempted on unconnected socket");
1494
1495 default:
1496 throw new SocketException("connection is closed");
1497 }
1498
1499 //
1500 // Kickstart handshake state machine if we need to ...
1501 //
1502 // Note that handshaker.kickstart() writes the message
1503 // to its HandshakeOutStream, which calls back into
1504 // SSLSocketImpl.writeRecord() to send it.
1505 //
1506 if (!handshaker.activated()) {
1507 // prior to handshaking, activate the handshake
1508 if (connectionState == cs_RENEGOTIATE) {
1509 // don't use SSLv2Hello when renegotiating
1510 handshaker.activate(protocolVersion);
1511 } else {
1512 handshaker.activate(null);
1513 }
1514
1515 if (handshaker instanceof ClientHandshaker) {
1516 // send client hello
1517 handshaker.kickstart();
1518 } else {
1519 if (connectionState == cs_HANDSHAKE) {
1520 // initial handshake, no kickstart message to send
1521 } else {
1522 // we want to renegotiate, send hello request
1523 handshaker.kickstart();
1524 }
1525 }
1526 }
1527 }
1528
1529 //
1530 // CLOSURE RELATED CALLS
1531 //
1532
1533 /**
1534 * Return whether the socket has been explicitly closed by the application.
1535 */
1536 @Override
1537 public boolean isClosed() {
1538 return connectionState == cs_APP_CLOSED;
1539 }
1540
1541 /**
1542 * Return whether we have reached end-of-file.
1543 *
1544 * If the socket is not connected, has been shutdown because of an error
1545 * or has been closed, throw an Exception.
1546 */
1547 boolean checkEOF() throws IOException {
1548 switch (getConnectionState()) {
1549 case cs_START:
1550 throw new SocketException("Socket is not connected");
1551
1552 case cs_HANDSHAKE:
1553 case cs_DATA:
1554 case cs_RENEGOTIATE:
1555 case cs_SENT_CLOSE:
1556 return false;
1557
1558 case cs_APP_CLOSED:
1559 throw new SocketException("Socket is closed");
1560
1561 case cs_ERROR:
1562 case cs_CLOSED:
1563 default:
1564 // either closed because of error, or normal EOF
1565 if (closeReason == null) {
1566 return true;
1567 }
1568 IOException e = new SSLException
1569 ("Connection has been shutdown: " + closeReason);
1570 e.initCause(closeReason);
1571 throw e;
1572
1573 }
1574 }
1575
1576 /**
1577 * Check if we can write data to this socket. If not, throw an IOException.
1578 */
1579 void checkWrite() throws IOException {
1580 if (checkEOF() || (getConnectionState() == cs_SENT_CLOSE)) {
1581 // we are at EOF, write must throw Exception
1582 throw new SocketException("Connection closed by remote host");
1583 }
1584 }
1585
1586 private void closeSocket() throws IOException {
1587
1588 if ((debug != null) && Debug.isOn("ssl")) {
1589 System.out.println(Thread.currentThread().getName() +
1590 ", called closeSocket()");
1591 }
1592
1593 super.close();
1594 }
1595
1596 private void closeSocket(boolean selfInitiated) throws IOException {
1597 if ((debug != null) && Debug.isOn("ssl")) {
1598 System.out.println(Thread.currentThread().getName() +
1599 ", called closeSocket(" + selfInitiated + ")");
1600 }
1601 if (!isLayered() || autoClose) {
1602 super.close();
1603 } else if (selfInitiated) {
1604 // layered && non-autoclose
1605 // read close_notify alert to clear input stream
1606 waitForClose(false);
1607 }
1608 }
1609
1610 /*
1611 * Closing the connection is tricky ... we can't officially close the
1612 * connection until we know the other end is ready to go away too,
1613 * and if ever the connection gets aborted we must forget session
1614 * state (it becomes invalid).
1615 */
1616
1617 /**
1618 * Closes the SSL connection. SSL includes an application level
1619 * shutdown handshake; you should close SSL sockets explicitly
1620 * rather than leaving it for finalization, so that your remote
1621 * peer does not experience a protocol error.
1622 */
1623 @Override
1624 public void close() throws IOException {
1625 if ((debug != null) && Debug.isOn("ssl")) {
1626 System.out.println(Thread.currentThread().getName() +
1627 ", called close()");
1628 }
1629 closeInternal(true); // caller is initiating close
1630
1631 // Clearup the resources.
1632 try {
1633 synchronized (readLock) {
1634 inputRecord.close();
1635 }
1636
1637 writeLock.lock();
1638 try {
1639 outputRecord.close();
1640 } finally {
1641 writeLock.unlock();
1642 }
1643 } catch (IOException ioe) {
1644 // ignore
1645 }
1646
1647 setConnectionState(cs_APP_CLOSED);
1648 }
1649
1650 /**
1651 * Don't synchronize the whole method because waitForClose()
1652 * (which calls readRecord()) might be called.
1653 *
1654 * @param selfInitiated Indicates which party initiated the close.
1655 * If selfInitiated, this side is initiating a close; for layered and
1656 * non-autoclose socket, wait for close_notify response.
1657 * If !selfInitiated, peer sent close_notify; we reciprocate but
1658 * no need to wait for response.
1659 */
1660 private void closeInternal(boolean selfInitiated) throws IOException {
1661 if ((debug != null) && Debug.isOn("ssl")) {
1662 System.out.println(Thread.currentThread().getName() +
1663 ", called closeInternal(" + selfInitiated + ")");
1664 }
1665
1666 int state = getConnectionState();
1667 boolean closeSocketCalled = false;
1668 Throwable cachedThrowable = null;
1669 try {
1670 switch (state) {
1671 case cs_START:
1672 // unconnected socket or handshaking has not been initialized
1673 closeSocket(selfInitiated);
1674 break;
1675
1676 /*
1677 * If we're closing down due to error, we already sent (or else
1678 * received) the fatal alert ... no niceties, blow the connection
1679 * away as quickly as possible (even if we didn't allocate the
1680 * socket ourselves; it's unusable, regardless).
1681 */
1682 case cs_ERROR:
1683 closeSocket();
1684 break;
1685
1686 /*
1687 * Sometimes close() gets called more than once.
1688 */
1689 case cs_CLOSED:
1690 case cs_APP_CLOSED:
1691 break;
1692
1693 /*
1694 * Otherwise we indicate clean termination.
1695 */
1696 // case cs_HANDSHAKE:
1697 // case cs_DATA:
1698 // case cs_RENEGOTIATE:
1699 // case cs_SENT_CLOSE:
1700 default:
1701 synchronized (this) {
1702 if (((state = getConnectionState()) == cs_CLOSED) ||
1703 (state == cs_ERROR) || (state == cs_APP_CLOSED)) {
1704 return; // connection was closed while we waited
1705 }
1706 if (state != cs_SENT_CLOSE) {
1707 try {
1708 warning(Alerts.alert_close_notify);
1709 connectionState = cs_SENT_CLOSE;
1710 } catch (Throwable th) {
1711 // we need to ensure socket is closed out
1712 // if we encounter any errors.
1713 connectionState = cs_ERROR;
1714 // cache this for later use
1715 cachedThrowable = th;
1716 closeSocketCalled = true;
1717 closeSocket(selfInitiated);
1718 }
1719 }
1720 }
1721 // If state was cs_SENT_CLOSE before, we don't do the actual
1722 // closing since it is already in progress.
1723 if (state == cs_SENT_CLOSE) {
1724 if (debug != null && Debug.isOn("ssl")) {
1725 System.out.println(Thread.currentThread().getName() +
1726 ", close invoked again; state = " +
1727 getConnectionState());
1728 }
1729 if (selfInitiated == false) {
1730 // We were called because a close_notify message was
1731 // received. This may be due to another thread calling
1732 // read() or due to our call to waitForClose() below.
1733 // In either case, just return.
1734 return;
1735 }
1736 // Another thread explicitly called close(). We need to
1737 // wait for the closing to complete before returning.
1738 synchronized (this) {
1739 while (connectionState < cs_CLOSED) {
1740 try {
1741 this.wait();
1742 } catch (InterruptedException e) {
1743 // ignore
1744 }
1745 }
1746 }
1747 if ((debug != null) && Debug.isOn("ssl")) {
1748 System.out.println(Thread.currentThread().getName() +
1749 ", after primary close; state = " +
1750 getConnectionState());
1751 }
1752 return;
1753 }
1754
1755 if (!closeSocketCalled) {
1756 closeSocketCalled = true;
1757 closeSocket(selfInitiated);
1758 }
1759
1760 break;
1761 }
1762 } finally {
1763 synchronized (this) {
1764 // Upon exit from this method, the state is always >= cs_CLOSED
1765 connectionState = (connectionState == cs_APP_CLOSED)
1766 ? cs_APP_CLOSED : cs_CLOSED;
1767 // notify any threads waiting for the closing to finish
1768 this.notifyAll();
1769 }
1770
1771 if (cachedThrowable != null) {
1772 /*
1773 * Rethrow the error to the calling method
1774 * The Throwable caught can only be an Error or RuntimeException
1775 */
1776 if (cachedThrowable instanceof Error) {
1777 throw (Error)cachedThrowable;
1778 } else if (cachedThrowable instanceof RuntimeException) {
1779 throw (RuntimeException)cachedThrowable;
1780 } // Otherwise, unlikely
1781 }
1782 }
1783 }
1784
1785 /**
1786 * Reads a close_notify or a fatal alert from the input stream.
1787 * Keep reading records until we get a close_notify or until
1788 * the connection is otherwise closed. The close_notify or alert
1789 * might be read by another reader,
1790 * which will then process the close and set the connection state.
1791 */
1792 void waitForClose(boolean rethrow) throws IOException {
1793 if (debug != null && Debug.isOn("ssl")) {
1794 System.out.println(Thread.currentThread().getName() +
1795 ", waiting for close_notify or alert: state "
1796 + getConnectionState());
1797 }
1798
1799 try {
1800 int state;
1801
1802 while (((state = getConnectionState()) != cs_CLOSED) &&
1803 (state != cs_ERROR) && (state != cs_APP_CLOSED)) {
1804
1805 // Ask for app data and then throw it away
1806 try {
1807 readRecord(true);
1808 } catch (SocketTimeoutException e) {
1809 // if time out, ignore the exception and continue
1810 }
1811 }
1812 } catch (IOException e) {
1813 if (debug != null && Debug.isOn("ssl")) {
1814 System.out.println(Thread.currentThread().getName() +
1815 ", Exception while waiting for close " +e);
1816 }
1817 if (rethrow) {
1818 throw e; // pass exception up
1819 }
1820 }
1821 }
1822
1823 //
1824 // EXCEPTION AND ALERT HANDLING
1825 //
1826
1827 /**
1828 * Handle an exception. This method is called by top level exception
1829 * handlers (in read(), write()) to make sure we always shutdown the
1830 * connection correctly and do not pass runtime exception to the
1831 * application.
1832 */
1833 void handleException(Exception e) throws IOException {
1834 handleException(e, true);
1835 }
1836
1837 /**
1838 * Handle an exception. This method is called by top level exception
1839 * handlers (in read(), write(), startHandshake()) to make sure we
1840 * always shutdown the connection correctly and do not pass runtime
1841 * exception to the application.
1842 *
1843 * This method never returns normally, it always throws an IOException.
1844 *
1845 * We first check if the socket has already been shutdown because of an
1846 * error. If so, we just rethrow the exception. If the socket has not
1847 * been shutdown, we sent a fatal alert and remember the exception.
1848 *
1849 * @param e the Exception
1850 * @param resumable indicates the caller process is resumable from the
1851 * exception. If <code>resumable</code>, the socket will be
1852 * reserved for exceptions like timeout; otherwise, the socket
1853 * will be closed, no further communications could be done.
1854 */
1855 private synchronized void handleException(Exception e, boolean resumable)
1856 throws IOException {
1857 if ((debug != null) && Debug.isOn("ssl")) {
1858 System.out.println(Thread.currentThread().getName() +
1859 ", handling exception: " + e.toString());
1860 }
1861
1862 // don't close the Socket in case of timeouts or interrupts if
1863 // the process is resumable.
1864 if (e instanceof InterruptedIOException && resumable) {
1865 throw (IOException)e;
1866 }
1867
1868 // if we've already shutdown because of an error,
1869 // there is nothing to do except rethrow the exception
1870 if (closeReason != null) {
1871 if (e instanceof IOException) { // includes SSLException
1872 throw (IOException)e;
1873 } else {
1874 // this is odd, not an IOException.
1875 // normally, this should not happen
1876 // if closeReason has been already been set
1877 throw Alerts.getSSLException(Alerts.alert_internal_error, e,
1878 "Unexpected exception");
1879 }
1880 }
1881
1882 // need to perform error shutdown
1883 boolean isSSLException = (e instanceof SSLException);
1884 if ((!isSSLException) && (e instanceof IOException)) {
1885 // IOException from the socket
1886 // this means the TCP connection is already dead
1887 // we call fatal just to set the error status
1888 try {
1889 fatal(Alerts.alert_unexpected_message, e);
1890 } catch (IOException ee) {
1891 // ignore (IOException wrapped in SSLException)
1892 }
1893 // rethrow original IOException
1894 throw (IOException)e;
1895 }
1896
1897 // must be SSLException or RuntimeException
1898 byte alertType;
1899 if (isSSLException) {
1900 if (e instanceof SSLHandshakeException) {
1901 alertType = Alerts.alert_handshake_failure;
1902 } else {
1903 alertType = Alerts.alert_unexpected_message;
1904 }
1905 } else {
1906 alertType = Alerts.alert_internal_error;
1907 }
1908 fatal(alertType, e);
1909 }
1910
1911 /*
1912 * Send a warning alert.
1913 */
1914 void warning(byte description) {
1915 sendAlert(Alerts.alert_warning, description);
1916 }
1917
1918 synchronized void fatal(byte description, String diagnostic)
1919 throws IOException {
1920 fatal(description, diagnostic, null);
1921 }
1922
1923 synchronized void fatal(byte description, Throwable cause)
1924 throws IOException {
1925 fatal(description, null, cause);
1926 }
1927
1928 /*
1929 * Send a fatal alert, and throw an exception so that callers will
1930 * need to stand on their heads to accidentally continue processing.
1931 */
1932 synchronized void fatal(byte description, String diagnostic,
1933 Throwable cause) throws IOException {
1934
1935 // Be care of deadlock. Please don't synchronize readLock.
1936 try {
1937 inputRecord.close();
1938 } catch (IOException ioe) {
1939 // ignore
1940 }
1941
1942 sess.invalidate();
1943 if (handshakeSession != null) {
1944 handshakeSession.invalidate();
1945 }
1946
1947 int oldState = connectionState;
1948 if (connectionState < cs_ERROR) {
1949 connectionState = cs_ERROR;
1950 }
1951
1952 /*
1953 * Has there been an error received yet? If not, remember it.
1954 * By RFC 2246, we don't bother waiting for a response.
1955 * Fatal errors require immediate shutdown.
1956 */
1957 if (closeReason == null) {
1958 /*
1959 * Try to clear the kernel buffer to avoid TCP connection resets.
1960 */
1961 if (oldState == cs_HANDSHAKE) {
1962 sockInput.skip(sockInput.available());
1963 }
1964
1965 // If the description equals -1, the alert won't be sent to peer.
1966 if (description != -1) {
1967 sendAlert(Alerts.alert_fatal, description);
1968 }
1969 if (cause instanceof SSLException) { // only true if != null
1970 closeReason = (SSLException)cause;
1971 } else {
1972 closeReason =
1973 Alerts.getSSLException(description, cause, diagnostic);
1974 }
1975 }
1976
1977 /*
1978 * Clean up our side.
1979 */
1980 closeSocket();
1981
1982 // Be care of deadlock. Please don't synchronize writeLock.
1983 try {
1984 outputRecord.close();
1985 } catch (IOException ioe) {
1986 // ignore
1987 }
1988
1989 throw closeReason;
1990 }
1991
1992
1993 /*
1994 * Process an incoming alert ... caller must already have synchronized
1995 * access to "this".
1996 */
1997 private void recvAlert(ByteBuffer fragment) throws IOException {
1998 byte level = fragment.get();
1999 byte description = fragment.get();
2000
2001 if (description == -1) { // check for short message
2002 fatal(Alerts.alert_illegal_parameter, "Short alert message");
2003 }
2004
2005 if (debug != null && (Debug.isOn("record") ||
2006 Debug.isOn("handshake"))) {
2007 synchronized (System.out) {
2008 System.out.print(Thread.currentThread().getName());
2009 System.out.print(", RECV " + protocolVersion + " ALERT: ");
2010 if (level == Alerts.alert_fatal) {
2011 System.out.print("fatal, ");
2012 } else if (level == Alerts.alert_warning) {
2013 System.out.print("warning, ");
2014 } else {
2015 System.out.print("<level " + (0x0ff & level) + ">, ");
2016 }
2017 System.out.println(Alerts.alertDescription(description));
2018 }
2019 }
2020
2021 if (level == Alerts.alert_warning) {
2022 if (description == Alerts.alert_close_notify) {
2023 if (connectionState == cs_HANDSHAKE) {
2024 fatal(Alerts.alert_unexpected_message,
2025 "Received close_notify during handshake");
2026 } else {
2027 closeInternal(false); // reply to close
2028 }
2029 } else {
2030
2031 //
2032 // The other legal warnings relate to certificates,
2033 // e.g. no_certificate, bad_certificate, etc; these
2034 // are important to the handshaking code, which can
2035 // also handle illegal protocol alerts if needed.
2036 //
2037 if (handshaker != null) {
2038 handshaker.handshakeAlert(description);
2039 }
2040 }
2041 } else { // fatal or unknown level
2042 String reason = "Received fatal alert: "
2043 + Alerts.alertDescription(description);
2044 if (closeReason == null) {
2045 closeReason = Alerts.getSSLException(description, reason);
2046 }
2047 fatal(Alerts.alert_unexpected_message, reason);
2048 }
2049 }
2050
2051
2052 /*
2053 * Emit alerts. Caller must have synchronized with "this".
2054 */
2055 private void sendAlert(byte level, byte description) {
2056 // the connectionState cannot be cs_START
2057 if (connectionState >= cs_SENT_CLOSE) {
2058 return;
2059 }
2060
2061 // For initial handshaking, don't send alert message to peer if
2062 // handshaker has not started.
2063 //
2064 // Shall we send an fatal alter to terminate the connection gracefully?
2065 if (connectionState <= cs_HANDSHAKE &&
2066 (handshaker == null || !handshaker.started() ||
2067 !handshaker.activated())) {
2068 return;
2069 }
2070
2071 boolean useDebug = debug != null && Debug.isOn("ssl");
2072 if (useDebug) {
2073 synchronized (System.out) {
2074 System.out.print(Thread.currentThread().getName());
2075 System.out.print(", SEND " + protocolVersion + " ALERT: ");
2076 if (level == Alerts.alert_fatal) {
2077 System.out.print("fatal, ");
2078 } else if (level == Alerts.alert_warning) {
2079 System.out.print("warning, ");
2080 } else {
2081 System.out.print("<level = " + (0x0ff & level) + ">, ");
2082 }
2083 System.out.println("description = "
2084 + Alerts.alertDescription(description));
2085 }
2086 }
2087
2088 try {
2089 writeAlert(level, description);
2090 } catch (IOException e) {
2091 if (useDebug) {
2092 System.out.println(Thread.currentThread().getName() +
2093 ", Exception sending alert: " + e);
2094 }
2095 }
2096 }
2097
2098 //
2099 // VARIOUS OTHER METHODS
2100 //
2101
2102 // used by Handshaker
2103 void changeWriteCiphers() throws IOException {
2104 Authenticator writeAuthenticator;
2105 CipherBox writeCipher;
2106 try {
2107 writeCipher = handshaker.newWriteCipher();
2108 writeAuthenticator = handshaker.newWriteAuthenticator();
2109 } catch (GeneralSecurityException e) {
2110 // "can't happen"
2111 throw new SSLException("Algorithm missing: ", e);
2112 }
2113 outputRecord.changeWriteCiphers(writeAuthenticator, writeCipher);
2114 }
2115
2116 /*
2117 * Updates the SSL version associated with this connection.
2118 * Called from Handshaker once it has determined the negotiated version.
2119 */
2120 synchronized void setVersion(ProtocolVersion protocolVersion) {
2121 this.protocolVersion = protocolVersion;
2122 outputRecord.setVersion(protocolVersion);
2123 }
2124
2125 //
2126 // ONLY used by ClientHandshaker for the server hostname during handshaking
2127 //
2128 synchronized String getHost() {
2129 // Note that the host may be null or empty for localhost.
2130 if (host == null || host.length() == 0) {
2131 useImplicitHost(true);
2132 }
2133
2134 return host;
2135 }
2136
2137 /*
2138 * Try to set and use the implicit specified hostname
2139 */
2140 private synchronized void useImplicitHost(boolean noSniUpdate) {
2141
2142 // Note: If the local name service is not trustworthy, reverse
2143 // host name resolution should not be performed for endpoint
2144 // identification. Use the application original specified
2145 // hostname or IP address instead.
2146
2147 // Get the original hostname via jdk.internal.misc.SharedSecrets
2148 InetAddress inetAddress = getInetAddress();
2149 if (inetAddress == null) { // not connected
2150 return;
2151 }
2152
2153 JavaNetInetAddressAccess jna =
2154 SharedSecrets.getJavaNetInetAddressAccess();
2155 String originalHostname = jna.getOriginalHostName(inetAddress);
2156 if ((originalHostname != null) &&
2157 (originalHostname.length() != 0)) {
2158
2159 host = originalHostname;
2160 if (!noSniUpdate && serverNames.isEmpty() && !noSniExtension) {
2161 serverNames =
2162 Utilities.addToSNIServerNameList(serverNames, host);
2163
2164 if (!roleIsServer &&
2165 (handshaker != null) && !handshaker.activated()) {
2166 handshaker.setSNIServerNames(serverNames);
2167 }
2168 }
2169
2170 return;
2171 }
2172
2173 // No explicitly specified hostname, no server name indication.
2174 if (!trustNameService) {
2175 // The local name service is not trustworthy, use IP address.
2176 host = inetAddress.getHostAddress();
2177 } else {
2178 // Use the underlying reverse host name resolution service.
2179 host = getInetAddress().getHostName();
2180 }
2181 }
2182
2183 // ONLY used by HttpsClient to setup the URI specified hostname
2184 //
2185 // Please NOTE that this method MUST be called before calling to
2186 // SSLSocket.setSSLParameters(). Otherwise, the {@code host} parameter
2187 // may override SNIHostName in the customized server name indication.
2188 public synchronized void setHost(String host) {
2189 this.host = host;
2190 this.serverNames =
2191 Utilities.addToSNIServerNameList(this.serverNames, this.host);
2192
2193 if (!roleIsServer && (handshaker != null) && !handshaker.activated()) {
2194 handshaker.setSNIServerNames(serverNames);
2195 }
2196 }
2197
2198 /**
2199 * Gets an input stream to read from the peer on the other side.
2200 * Data read from this stream was always integrity protected in
2201 * transit, and will usually have been confidentiality protected.
2202 */
2203 @Override
2204 public synchronized InputStream getInputStream() throws IOException {
2205 if (isClosed()) {
2206 throw new SocketException("Socket is closed");
2207 }
2208
2209 /*
2210 * Can't call isConnected() here, because the Handshakers
2211 * do some initialization before we actually connect.
2212 */
2213 if (connectionState == cs_START) {
2214 throw new SocketException("Socket is not connected");
2215 }
2216
2217 return input;
2218 }
2219
2220 /**
2221 * Gets an output stream to write to the peer on the other side.
2222 * Data written on this stream is always integrity protected, and
2223 * will usually be confidentiality protected.
2224 */
2225 @Override
2226 public synchronized OutputStream getOutputStream() throws IOException {
2227 if (isClosed()) {
2228 throw new SocketException("Socket is closed");
2229 }
2230
2231 /*
2232 * Can't call isConnected() here, because the Handshakers
2233 * do some initialization before we actually connect.
2234 */
2235 if (connectionState == cs_START) {
2236 throw new SocketException("Socket is not connected");
2237 }
2238
2239 return output;
2240 }
2241
2242 /**
2243 * Returns the SSL Session in use by this connection. These can
2244 * be long lived, and frequently correspond to an entire login session
2245 * for some user.
2246 */
2247 @Override
2248 public SSLSession getSession() {
2249 /*
2250 * Force a synchronous handshake, if appropriate.
2251 */
2252 if (getConnectionState() == cs_HANDSHAKE) {
2253 try {
2254 // start handshaking, if failed, the connection will be closed.
2255 startHandshake(false);
2256 } catch (IOException e) {
2257 // handshake failed. log and return a nullSession
2258 if (debug != null && Debug.isOn("handshake")) {
2259 System.out.println(Thread.currentThread().getName() +
2260 ", IOException in getSession(): " + e);
2261 }
2262 }
2263 }
2264 synchronized (this) {
2265 return sess;
2266 }
2267 }
2268
2269 @Override
2270 public synchronized SSLSession getHandshakeSession() {
2271 return handshakeSession;
2272 }
2273
2274 synchronized void setHandshakeSession(SSLSessionImpl session) {
2275 // update the fragment size, which may be negotiated during handshaking
2276 inputRecord.changeFragmentSize(session.getNegotiatedMaxFragSize());
2277 outputRecord.changeFragmentSize(session.getNegotiatedMaxFragSize());
2278
2279 handshakeSession = session;
2280 }
2281
2282 /**
2283 * Controls whether new connections may cause creation of new SSL
2284 * sessions.
2285 *
2286 * As long as handshaking has not started, we can change
2287 * whether we enable session creations. Otherwise,
2288 * we will need to wait for the next handshake.
2289 */
2290 @Override
2291 public synchronized void setEnableSessionCreation(boolean flag) {
2292 enableSessionCreation = flag;
2293
2294 if ((handshaker != null) && !handshaker.activated()) {
2295 handshaker.setEnableSessionCreation(enableSessionCreation);
2296 }
2297 }
2298
2299 /**
2300 * Returns true if new connections may cause creation of new SSL
2301 * sessions.
2302 */
2303 @Override
2304 public synchronized boolean getEnableSessionCreation() {
2305 return enableSessionCreation;
2306 }
2307
2308
2309 /**
2310 * Sets the flag controlling whether a server mode socket
2311 * *REQUIRES* SSL client authentication.
2312 *
2313 * As long as handshaking has not started, we can change
2314 * whether client authentication is needed. Otherwise,
2315 * we will need to wait for the next handshake.
2316 */
2317 @Override
2318 public synchronized void setNeedClientAuth(boolean flag) {
2319 doClientAuth = (flag ? ClientAuthType.CLIENT_AUTH_REQUIRED :
2320 ClientAuthType.CLIENT_AUTH_NONE);
2321
2322 if ((handshaker != null) &&
2323 (handshaker instanceof ServerHandshaker) &&
2324 !handshaker.activated()) {
2325 ((ServerHandshaker) handshaker).setClientAuth(doClientAuth);
2326 }
2327 }
2328
2329 @Override
2330 public synchronized boolean getNeedClientAuth() {
2331 return (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED);
2332 }
2333
2334 /**
2335 * Sets the flag controlling whether a server mode socket
2336 * *REQUESTS* SSL client authentication.
2337 *
2338 * As long as handshaking has not started, we can change
2339 * whether client authentication is requested. Otherwise,
2340 * we will need to wait for the next handshake.
2341 */
2342 @Override
2343 public synchronized void setWantClientAuth(boolean flag) {
2344 doClientAuth = (flag ? ClientAuthType.CLIENT_AUTH_REQUESTED :
2345 ClientAuthType.CLIENT_AUTH_NONE);
2346
2347 if ((handshaker != null) &&
2348 (handshaker instanceof ServerHandshaker) &&
2349 !handshaker.activated()) {
2350 ((ServerHandshaker) handshaker).setClientAuth(doClientAuth);
2351 }
2352 }
2353
2354 @Override
2355 public synchronized boolean getWantClientAuth() {
2356 return (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUESTED);
2357 }
2358
2359
2360 /**
2361 * Sets the flag controlling whether the socket is in SSL
2362 * client or server mode. Must be called before any SSL
2363 * traffic has started.
2364 */
2365 @Override
2366 @SuppressWarnings("fallthrough")
2367 public synchronized void setUseClientMode(boolean flag) {
2368 switch (connectionState) {
2369
2370 case cs_START:
2371 /*
2372 * If we need to change the socket mode and the enabled
2373 * protocols and cipher suites haven't specifically been
2374 * set by the user, change them to the corresponding
2375 * default ones.
2376 */
2377 if (roleIsServer != (!flag)) {
2378 if (sslContext.isDefaultProtocolList(enabledProtocols)) {
2379 enabledProtocols =
2380 sslContext.getDefaultProtocolList(!flag);
2381 }
2382
2383 if (sslContext.isDefaultCipherSuiteList(enabledCipherSuites)) {
2384 enabledCipherSuites =
2385 sslContext.getDefaultCipherSuiteList(!flag);
2386 }
2387 }
2388
2389 roleIsServer = !flag;
2390 break;
2391
2392 case cs_HANDSHAKE:
2393 /*
2394 * If we have a handshaker, but haven't started
2395 * SSL traffic, we can throw away our current
2396 * handshaker, and start from scratch. Don't
2397 * need to call doneConnect() again, we already
2398 * have the streams.
2399 */
2400 assert(handshaker != null);
2401 if (!handshaker.activated()) {
2402 /*
2403 * If we need to change the socket mode and the enabled
2404 * protocols and cipher suites haven't specifically been
2405 * set by the user, change them to the corresponding
2406 * default ones.
2407 */
2408 if (roleIsServer != (!flag)) {
2409 if (sslContext.isDefaultProtocolList(enabledProtocols)) {
2410 enabledProtocols =
2411 sslContext.getDefaultProtocolList(!flag);
2412 }
2413
2414 if (sslContext.isDefaultCipherSuiteList(
2415 enabledCipherSuites)) {
2416 enabledCipherSuites =
2417 sslContext.getDefaultCipherSuiteList(!flag);
2418 }
2419 }
2420
2421 roleIsServer = !flag;
2422 connectionState = cs_START;
2423 initHandshaker();
2424 break;
2425 }
2426
2427 // If handshake has started, that's an error. Fall through...
2428
2429 default:
2430 if (debug != null && Debug.isOn("ssl")) {
2431 System.out.println(Thread.currentThread().getName() +
2432 ", setUseClientMode() invoked in state = " +
2433 connectionState);
2434 }
2435 throw new IllegalArgumentException(
2436 "Cannot change mode after SSL traffic has started");
2437 }
2438 }
2439
2440 @Override
2441 public synchronized boolean getUseClientMode() {
2442 return !roleIsServer;
2443 }
2444
2445
2446 /**
2447 * Returns the names of the cipher suites which could be enabled for use
2448 * on an SSL connection. Normally, only a subset of these will actually
2449 * be enabled by default, since this list may include cipher suites which
2450 * do not support the mutual authentication of servers and clients, or
2451 * which do not protect data confidentiality. Servers may also need
2452 * certain kinds of certificates to use certain cipher suites.
2453 *
2454 * @return an array of cipher suite names
2455 */
2456 @Override
2457 public String[] getSupportedCipherSuites() {
2458 return sslContext.getSupportedCipherSuiteList().toStringArray();
2459 }
2460
2461 /**
2462 * Controls which particular cipher suites are enabled for use on
2463 * this connection. The cipher suites must have been listed by
2464 * getCipherSuites() as being supported. Even if a suite has been
2465 * enabled, it might never be used if no peer supports it or the
2466 * requisite certificates (and private keys) are not available.
2467 *
2468 * @param suites Names of all the cipher suites to enable.
2469 */
2470 @Override
2471 public synchronized void setEnabledCipherSuites(String[] suites) {
2472 enabledCipherSuites = new CipherSuiteList(suites);
2473 if ((handshaker != null) && !handshaker.activated()) {
2474 handshaker.setEnabledCipherSuites(enabledCipherSuites);
2475 }
2476 }
2477
2478 /**
2479 * Returns the names of the SSL cipher suites which are currently enabled
2480 * for use on this connection. When an SSL socket is first created,
2481 * all enabled cipher suites <em>(a)</em> protect data confidentiality,
2482 * by traffic encryption, and <em>(b)</em> can mutually authenticate
2483 * both clients and servers. Thus, in some environments, this value
2484 * might be empty.
2485 *
2486 * @return an array of cipher suite names
2487 */
2488 @Override
2489 public synchronized String[] getEnabledCipherSuites() {
2490 return enabledCipherSuites.toStringArray();
2491 }
2492
2493
2494 /**
2495 * Returns the protocols that are supported by this implementation.
2496 * A subset of the supported protocols may be enabled for this connection
2497 * @return an array of protocol names.
2498 */
2499 @Override
2500 public String[] getSupportedProtocols() {
2501 return sslContext.getSuportedProtocolList().toStringArray();
2502 }
2503
2504 /**
2505 * Controls which protocols are enabled for use on
2506 * this connection. The protocols must have been listed by
2507 * getSupportedProtocols() as being supported.
2508 *
2509 * @param protocols protocols to enable.
2510 * @exception IllegalArgumentException when one of the protocols
2511 * named by the parameter is not supported.
2512 */
2513 @Override
2514 public synchronized void setEnabledProtocols(String[] protocols) {
2515 enabledProtocols = new ProtocolList(protocols);
2516 if ((handshaker != null) && !handshaker.activated()) {
2517 handshaker.setEnabledProtocols(enabledProtocols);
2518 }
2519 }
2520
2521 @Override
2522 public synchronized String[] getEnabledProtocols() {
2523 return enabledProtocols.toStringArray();
2524 }
2525
2526 /**
2527 * Assigns the socket timeout.
2528 * @see java.net.Socket#setSoTimeout
2529 */
2530 @Override
2531 public void setSoTimeout(int timeout) throws SocketException {
2532 if ((debug != null) && Debug.isOn("ssl")) {
2533 System.out.println(Thread.currentThread().getName() +
2534 ", setSoTimeout(" + timeout + ") called");
2535 }
2536
2537 super.setSoTimeout(timeout);
2538 }
2539
2540 /**
2541 * Registers an event listener to receive notifications that an
2542 * SSL handshake has completed on this connection.
2543 */
2544 @Override
2545 public synchronized void addHandshakeCompletedListener(
2546 HandshakeCompletedListener listener) {
2547 if (listener == null) {
2548 throw new IllegalArgumentException("listener is null");
2549 }
2550 if (handshakeListeners == null) {
2551 handshakeListeners = new
2552 HashMap<HandshakeCompletedListener, AccessControlContext>(4);
2553 }
2554 handshakeListeners.put(listener, AccessController.getContext());
2555 }
2556
2557
2558 /**
2559 * Removes a previously registered handshake completion listener.
2560 */
2561 @Override
2562 public synchronized void removeHandshakeCompletedListener(
2563 HandshakeCompletedListener listener) {
2564 if (handshakeListeners == null) {
2565 throw new IllegalArgumentException("no listeners");
2566 }
2567 if (handshakeListeners.remove(listener) == null) {
2568 throw new IllegalArgumentException("listener not registered");
2569 }
2570 if (handshakeListeners.isEmpty()) {
2571 handshakeListeners = null;
2572 }
2573 }
2574
2575 /**
2576 * Returns the SSLParameters in effect for this SSLSocket.
2577 */
2578 @Override
2579 public synchronized SSLParameters getSSLParameters() {
2580 SSLParameters params = super.getSSLParameters();
2581
2582 // the super implementation does not handle the following parameters
2583 params.setEndpointIdentificationAlgorithm(identificationProtocol);
2584 params.setAlgorithmConstraints(algorithmConstraints);
2585
2586 params.setUseCertificateAuthorities(useCertificateAuthorities);
2587
2588 if (sniMatchers.isEmpty() && !noSniMatcher) {
2589 // 'null' indicates none has been set
2590 params.setSNIMatchers(null);
2591 } else {
2592 params.setSNIMatchers(sniMatchers);
2593 }
2594
2595 if (serverNames.isEmpty() && !noSniExtension) {
2596 // 'null' indicates none has been set
2597 params.setServerNames(null);
2598 } else {
2599 params.setServerNames(serverNames);
2600 }
2601
2602 params.setUseCipherSuitesOrder(preferLocalCipherSuites);
2603 params.setMaximumPacketSize(maximumPacketSize);
2604 params.setApplicationProtocols(applicationProtocols);
2605
2606 // DTLS handshake retransmissions parameter does not apply here.
2607
2608 return params;
2609 }
2610
2611 /**
2612 * Applies SSLParameters to this socket.
2613 */
2614 @Override
2615 public synchronized void setSSLParameters(SSLParameters params) {
2616 super.setSSLParameters(params);
2617
2618 // the super implementation does not handle the following parameters
2619 identificationProtocol = params.getEndpointIdentificationAlgorithm();
2620 algorithmConstraints = params.getAlgorithmConstraints();
2621 preferLocalCipherSuites = params.getUseCipherSuitesOrder();
2622 maximumPacketSize = params.getMaximumPacketSize();
2623
2624 // DTLS handshake retransmissions parameter does not apply here.
2625
2626 if (maximumPacketSize != 0) {
2627 outputRecord.changePacketSize(maximumPacketSize);
2628 } else {
2629 // use the implicit maximum packet size.
2630 maximumPacketSize = outputRecord.getMaxPacketSize();
2631 }
2632
2633 useCertificateAuthorities = params.getUseCertificateAuthorities();
2634
2635 List<SNIServerName> sniNames = params.getServerNames();
2636 if (sniNames != null) {
2637 noSniExtension = sniNames.isEmpty();
2638 serverNames = sniNames;
2639 }
2640
2641 Collection<SNIMatcher> matchers = params.getSNIMatchers();
2642 if (matchers != null) {
2643 noSniMatcher = matchers.isEmpty();
2644 sniMatchers = matchers;
2645 }
2646
2647 applicationProtocols = params.getApplicationProtocols();
2648
2649 if ((handshaker != null) && !handshaker.activated()) {
2650 handshaker.setIdentificationProtocol(identificationProtocol);
2651 handshaker.setAlgorithmConstraints(algorithmConstraints);
2652 handshaker.setMaximumPacketSize(maximumPacketSize);
2653 handshaker.setApplicationProtocols(applicationProtocols);
2654 if (roleIsServer) {
2655 handshaker.setSNIMatchers(sniMatchers);
2656 handshaker.setUseCipherSuitesOrder(preferLocalCipherSuites);
2657 } else {
2658 handshaker.setSNIServerNames(serverNames);
2659 }
2660 }
2661 }
2662
2663 @Override
2664 public synchronized String getApplicationProtocol() {
2665 return applicationProtocol;
2666 }
2667
2668 @Override
2669 public synchronized String getHandshakeApplicationProtocol() {
2670 if ((handshaker != null) && handshaker.started()) {
2671 return handshaker.getHandshakeApplicationProtocol();
2672 }
2673 return null;
2674 }
2675
2676 @Override
2677 public synchronized void setHandshakeApplicationProtocolSelector(
2678 BiFunction<SSLSocket, List<String>, String> selector) {
2679 applicationProtocolSelector = selector;
2680 if ((handshaker != null) && !handshaker.activated()) {
2681 handshaker.setApplicationProtocolSelectorSSLSocket(selector);
2682 }
2683 }
2684
2685 @Override
2686 public synchronized BiFunction<SSLSocket, List<String>, String>
2687 getHandshakeApplicationProtocolSelector() {
2688 return this.applicationProtocolSelector;
2689 }
2690
2691 //
2692 // We allocate a separate thread to deliver handshake completion
2693 // events. This ensures that the notifications don't block the
2694 // protocol state machine.
2695 //
2696 private static class NotifyHandshake implements Runnable {
2697
2698 private Set<Map.Entry<HandshakeCompletedListener,AccessControlContext>>
2699 targets; // who gets notified
2700 private HandshakeCompletedEvent event; // the notification
2701
2702 NotifyHandshake(
2703 Set<Map.Entry<HandshakeCompletedListener,AccessControlContext>>
2704 entrySet, HandshakeCompletedEvent e) {
2705
2706 targets = new HashSet<>(entrySet); // clone the entry set
2707 event = e;
2708 }
2709
2710 @Override
2711 public void run() {
2712 // Don't need to synchronize, as it only runs in one thread.
2713 for (Map.Entry<HandshakeCompletedListener,AccessControlContext>
2714 entry : targets) {
2715
2716 final HandshakeCompletedListener l = entry.getKey();
2717 AccessControlContext acc = entry.getValue();
2718 AccessController.doPrivileged(new PrivilegedAction<Void>() {
2719 @Override
2720 public Void run() {
2721 l.handshakeCompleted(event);
2722 return null;
2723 }
2724 }, acc);
2725 }
2726 }
2727 }
2728
2729 /**
2730 * Returns a printable representation of this end of the connection.
2731 */
2732 @Override
2733 public String toString() {
2734 StringBuilder retval = new StringBuilder(80);
2735
2736 retval.append(Integer.toHexString(hashCode()));
2737 retval.append("[");
2738 retval.append(sess.getCipherSuite());
2739 retval.append(": ");
2740
2741 retval.append(super.toString());
2742 retval.append("]");
2743
2744 return retval.toString();
2745 }
2746 }