1 /*
2 * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.ssl;
27
28 import java.io.*;
29 import java.nio.*;
30 import java.util.*;
31 import java.security.*;
32
33 import javax.crypto.BadPaddingException;
34
35 import javax.net.ssl.*;
36 import javax.net.ssl.SSLEngineResult.*;
37
38 /**
39 * Implementation of an non-blocking SSLEngine.
40 *
41 * *Currently*, the SSLEngine code exists in parallel with the current
42 * SSLSocket. As such, the current implementation is using legacy code
43 * with many of the same abstractions. However, it varies in many
44 * areas, most dramatically in the IO handling.
45 *
46 * There are three main I/O threads that can be existing in parallel:
47 * wrap(), unwrap(), and beginHandshake(). We are encouraging users to
48 * not call multiple instances of wrap or unwrap, because the data could
49 * appear to flow out of the SSLEngine in a non-sequential order. We
50 * take all steps we can to at least make sure the ordering remains
51 * consistent, but once the calls returns, anything can happen. For
52 * example, thread1 and thread2 both call wrap, thread1 gets the first
53 * packet, thread2 gets the second packet, but thread2 gets control back
54 * before thread1, and sends the data. The receiving side would see an
55 * out-of-order error.
56 *
57 * Handshaking is still done the same way as SSLSocket using the normal
58 * InputStream/OutputStream abstactions. We create
59 * ClientHandshakers/ServerHandshakers, which produce/consume the
60 * handshaking data. The transfer of the data is largely handled by the
61 * HandshakeInStream/HandshakeOutStreams. Lastly, the
62 * InputRecord/OutputRecords still have the same functionality, except
63 * that they are overridden with EngineInputRecord/EngineOutputRecord,
64 * which provide SSLEngine-specific functionality.
65 *
66 * Some of the major differences are:
67 *
68 * EngineInputRecord/EngineOutputRecord/EngineWriter:
69 *
70 * In order to avoid writing whole new control flows for
71 * handshaking, and to reuse most of the same code, we kept most
72 * of the actual handshake code the same. As usual, reading
73 * handshake data may trigger output of more handshake data, so
74 * what we do is write this data to internal buffers, and wait for
75 * wrap() to be called to give that data a ride.
76 *
77 * All data is routed through
78 * EngineInputRecord/EngineOutputRecord. However, all handshake
79 * data (ct_alert/ct_change_cipher_spec/ct_handshake) are passed
80 * through to the underlying InputRecord/OutputRecord, and
81 * the data uses the internal buffers.
82 *
83 * Application data is handled slightly different, we copy the data
84 * directly from the src to the dst buffers, and do all operations
85 * on those buffers, saving the overhead of multiple copies.
86 *
87 * In the case of an inbound record, unwrap passes the inbound
88 * ByteBuffer to the InputRecord. If the data is handshake data,
89 * the data is read into the InputRecord's internal buffer. If
90 * the data is application data, the data is decoded directly into
91 * the dst buffer.
92 *
93 * In the case of an outbound record, when the write to the
94 * "real" OutputStream's would normally take place, instead we
95 * call back up to the EngineOutputRecord's version of
96 * writeBuffer, at which time we capture the resulting output in a
97 * ByteBuffer, and send that back to the EngineWriter for internal
98 * storage.
99 *
100 * EngineWriter is responsible for "handling" all outbound
101 * data, be it handshake or app data, and for returning the data
102 * to wrap() in the proper order.
103 *
104 * ClientHandshaker/ServerHandshaker/Handshaker:
105 * Methods which relied on SSLSocket now have work on either
106 * SSLSockets or SSLEngines.
107 *
108 * @author Brad Wetmore
109 */
110 final public class SSLEngineImpl extends SSLEngine {
111
112 //
113 // Fields and global comments
114 //
115
116 /*
117 * There's a state machine associated with each connection, which
118 * among other roles serves to negotiate session changes.
119 *
120 * - START with constructor, until the TCP connection's around.
121 * - HANDSHAKE picks session parameters before allowing traffic.
122 * There are many substates due to sequencing requirements
123 * for handshake messages.
124 * - DATA may be transmitted.
125 * - RENEGOTIATE state allows concurrent data and handshaking
126 * traffic ("same" substates as HANDSHAKE), and terminates
127 * in selection of new session (and connection) parameters
128 * - ERROR state immediately precedes abortive disconnect.
129 * - CLOSED when one side closes down, used to start the shutdown
130 * process. SSL connection objects are not reused.
131 *
132 * State affects what SSL record types may legally be sent:
133 *
134 * - Handshake ... only in HANDSHAKE and RENEGOTIATE states
135 * - App Data ... only in DATA and RENEGOTIATE states
136 * - Alert ... in HANDSHAKE, DATA, RENEGOTIATE
137 *
138 * Re what may be received: same as what may be sent, except that
139 * HandshakeRequest handshaking messages can come from servers even
140 * in the application data state, to request entry to RENEGOTIATE.
141 *
142 * The state machine within HANDSHAKE and RENEGOTIATE states controls
143 * the pending session, not the connection state, until the change
144 * cipher spec and "Finished" handshake messages are processed and
145 * make the "new" session become the current one.
146 *
147 * NOTE: details of the SMs always need to be nailed down better.
148 * The text above illustrates the core ideas.
149 *
150 * +---->-------+------>--------->-------+
151 * | | |
152 * <-----< ^ ^ <-----< |
153 *START>----->HANDSHAKE>----->DATA>----->RENEGOTIATE |
154 * v v v |
155 * | | | |
156 * +------------+---------------+ |
157 * | |
158 * v |
159 * ERROR>------>----->CLOSED<--------<----+
160 *
161 * ALSO, note that the purpose of handshaking (renegotiation is
162 * included) is to assign a different, and perhaps new, session to
163 * the connection. The SSLv3 spec is a bit confusing on that new
164 * protocol feature.
165 */
166 private int connectionState;
167
168 private static final int cs_START = 0;
169 private static final int cs_HANDSHAKE = 1;
170 private static final int cs_DATA = 2;
171 private static final int cs_RENEGOTIATE = 3;
172 private static final int cs_ERROR = 4;
173 private static final int cs_CLOSED = 6;
174
175 /*
176 * Once we're in state cs_CLOSED, we can continue to
177 * wrap/unwrap until we finish sending/receiving the messages
178 * for close_notify. EngineWriter handles outboundDone.
179 */
180 private boolean inboundDone = false;
181
182 EngineWriter writer;
183
184 /*
185 * The authentication context holds all information used to establish
186 * who this end of the connection is (certificate chains, private keys,
187 * etc) and who is trusted (e.g. as CAs or websites).
188 */
189 private SSLContextImpl sslContext;
190
191 /*
192 * This connection is one of (potentially) many associated with
193 * any given session. The output of the handshake protocol is a
194 * new session ... although all the protocol description talks
195 * about changing the cipher spec (and it does change), in fact
196 * that's incidental since it's done by changing everything that
197 * is associated with a session at the same time. (TLS/IETF may
198 * change that to add client authentication w/o new key exchg.)
199 */
200 private Handshaker handshaker;
201 private SSLSessionImpl sess;
202 private volatile SSLSessionImpl handshakeSession;
203
204
205 /*
206 * Client authentication be off, requested, or required.
207 *
208 * This will be used by both this class and SSLSocket's variants.
209 */
210 static final byte clauth_none = 0;
211 static final byte clauth_requested = 1;
212 static final byte clauth_required = 2;
213
214 /*
215 * Flag indicating that the engine has received a ChangeCipherSpec message.
216 */
217 private boolean receivedCCS;
218
219 /*
220 * Flag indicating if the next record we receive MUST be a Finished
221 * message. Temporarily set during the handshake to ensure that
222 * a change cipher spec message is followed by a finished message.
223 */
224 private boolean expectingFinished;
225
226
227 /*
228 * If someone tries to closeInbound() (say at End-Of-Stream)
229 * our engine having received a close_notify, we need to
230 * notify the app that we may have a truncation attack underway.
231 */
232 private boolean recvCN;
233
234 /*
235 * For improved diagnostics, we detail connection closure
236 * If the engine is closed (connectionState >= cs_ERROR),
237 * closeReason != null indicates if the engine was closed
238 * because of an error or because or normal shutdown.
239 */
240 private SSLException closeReason;
241
242 /*
243 * Per-connection private state that doesn't change when the
244 * session is changed.
245 */
246 private byte doClientAuth;
247 private boolean enableSessionCreation = true;
248 EngineInputRecord inputRecord;
249 EngineOutputRecord outputRecord;
250 private AccessControlContext acc;
251
252 // The cipher suites enabled for use on this connection.
253 private CipherSuiteList enabledCipherSuites;
254
255 // the endpoint identification protocol
256 private String identificationProtocol = null;
257
258 // The cryptographic algorithm constraints
259 private AlgorithmConstraints algorithmConstraints = null;
260
261 // The server name indication and matchers
262 List<SNIServerName> serverNames =
263 Collections.<SNIServerName>emptyList();
264 Collection<SNIMatcher> sniMatchers =
265 Collections.<SNIMatcher>emptyList();
266
267 // Have we been told whether we're client or server?
268 private boolean serverModeSet = false;
269 private boolean roleIsServer;
270
271 /*
272 * The protocol versions enabled for use on this connection.
273 *
274 * Note: we support a pseudo protocol called SSLv2Hello which when
275 * set will result in an SSL v2 Hello being sent with SSL (version 3.0)
276 * or TLS (version 3.1, 3.2, etc.) version info.
277 */
278 private ProtocolList enabledProtocols;
279
280 /*
281 * The SSL version associated with this connection.
282 */
283 private ProtocolVersion protocolVersion = ProtocolVersion.DEFAULT;
284
285 /*
286 * Crypto state that's reinitialized when the session changes.
287 */
288 private Authenticator readAuthenticator, writeAuthenticator;
289 private CipherBox readCipher, writeCipher;
290 // NOTE: compression state would be saved here
291
292 /*
293 * security parameters for secure renegotiation.
294 */
295 private boolean secureRenegotiation;
296 private byte[] clientVerifyData;
297 private byte[] serverVerifyData;
298
299 /*
300 * READ ME * READ ME * READ ME * READ ME * READ ME * READ ME *
301 * IMPORTANT STUFF TO UNDERSTANDING THE SYNCHRONIZATION ISSUES.
302 * READ ME * READ ME * READ ME * READ ME * READ ME * READ ME *
303 *
304 * There are several locks here.
305 *
306 * The primary lock is the per-instance lock used by
307 * synchronized(this) and the synchronized methods. It controls all
308 * access to things such as the connection state and variables which
309 * affect handshaking. If we are inside a synchronized method, we
310 * can access the state directly, otherwise, we must use the
311 * synchronized equivalents.
312 *
313 * Note that we must never acquire the <code>this</code> lock after
314 * <code>writeLock</code> or run the risk of deadlock.
315 *
316 * Grab some coffee, and be careful with any code changes.
317 */
318 private Object wrapLock;
319 private Object unwrapLock;
320 Object writeLock;
321
322 /*
323 * Is it the first application record to write?
324 */
325 private boolean isFirstAppOutputRecord = true;
326
327 /*
328 * Whether local cipher suites preference in server side should be
329 * honored during handshaking?
330 */
331 private boolean preferLocalCipherSuites = false;
332
333 /*
334 * Class and subclass dynamic debugging support
335 */
336 private static final Debug debug = Debug.getInstance("ssl");
337
338 //
339 // Initialization/Constructors
340 //
341
342 /**
343 * Constructor for an SSLEngine from SSLContext, without
344 * host/port hints. This Engine will not be able to cache
345 * sessions, but must renegotiate everything by hand.
346 */
347 SSLEngineImpl(SSLContextImpl ctx) {
348 super();
349 init(ctx);
350 }
351
352 /**
353 * Constructor for an SSLEngine from SSLContext.
354 */
355 SSLEngineImpl(SSLContextImpl ctx, String host, int port) {
356 super(host, port);
357 init(ctx);
358 }
359
360 /**
361 * Initializes the Engine
362 */
363 private void init(SSLContextImpl ctx) {
364 if (debug != null && Debug.isOn("ssl")) {
365 System.out.println("Using SSLEngineImpl.");
366 }
367
368 sslContext = ctx;
369 sess = SSLSessionImpl.nullSession;
370 handshakeSession = null;
371
372 /*
373 * State is cs_START until we initialize the handshaker.
374 *
375 * Apps using SSLEngine are probably going to be server.
376 * Somewhat arbitrary choice.
377 */
378 roleIsServer = true;
379 connectionState = cs_START;
380 receivedCCS = false;
381
382 // default server name indication
383 serverNames =
384 Utilities.addToSNIServerNameList(serverNames, getPeerHost());
385
386 /*
387 * default read and write side cipher and MAC support
388 *
389 * Note: compression support would go here too
390 */
391 readCipher = CipherBox.NULL;
392 readAuthenticator = MAC.NULL;
393 writeCipher = CipherBox.NULL;
394 writeAuthenticator = MAC.NULL;
395
396 // default security parameters for secure renegotiation
397 secureRenegotiation = false;
398 clientVerifyData = new byte[0];
399 serverVerifyData = new byte[0];
400
401 enabledCipherSuites =
402 sslContext.getDefaultCipherSuiteList(roleIsServer);
403 enabledProtocols =
404 sslContext.getDefaultProtocolList(roleIsServer);
405
406 wrapLock = new Object();
407 unwrapLock = new Object();
408 writeLock = new Object();
409
410 /*
411 * Save the Access Control Context. This will be used later
412 * for a couple of things, including providing a context to
413 * run tasks in, and for determining which credentials
414 * to use for Subject based (JAAS) decisions
415 */
416 acc = AccessController.getContext();
417
418 /*
419 * All outbound application data goes through this OutputRecord,
420 * other data goes through their respective records created
421 * elsewhere. All inbound data goes through this one
422 * input record.
423 */
424 outputRecord =
425 new EngineOutputRecord(Record.ct_application_data, this);
426 inputRecord = new EngineInputRecord(this);
427 inputRecord.enableFormatChecks();
428
429 writer = new EngineWriter();
430 }
431
432 /**
433 * Initialize the handshaker object. This means:
434 *
435 * . if a handshake is already in progress (state is cs_HANDSHAKE
436 * or cs_RENEGOTIATE), do nothing and return
437 *
438 * . if the engine is already closed, throw an Exception (internal error)
439 *
440 * . otherwise (cs_START or cs_DATA), create the appropriate handshaker
441 * object and advance the connection state (to cs_HANDSHAKE or
442 * cs_RENEGOTIATE, respectively).
443 *
444 * This method is called right after a new engine is created, when
445 * starting renegotiation, or when changing client/server mode of the
446 * engine.
447 */
448 private void initHandshaker() {
449 switch (connectionState) {
450
451 //
452 // Starting a new handshake.
453 //
454 case cs_START:
455 case cs_DATA:
456 break;
457
458 //
459 // We're already in the middle of a handshake.
460 //
461 case cs_HANDSHAKE:
462 case cs_RENEGOTIATE:
463 return;
464
465 //
466 // Anyone allowed to call this routine is required to
467 // do so ONLY if the connection state is reasonable...
468 //
469 default:
470 throw new IllegalStateException("Internal error");
471 }
472
473 // state is either cs_START or cs_DATA
474 if (connectionState == cs_START) {
475 connectionState = cs_HANDSHAKE;
476 } else { // cs_DATA
477 connectionState = cs_RENEGOTIATE;
478 }
479 if (roleIsServer) {
480 handshaker = new ServerHandshaker(this, sslContext,
481 enabledProtocols, doClientAuth,
482 protocolVersion, connectionState == cs_HANDSHAKE,
483 secureRenegotiation, clientVerifyData, serverVerifyData);
484 handshaker.setSNIMatchers(sniMatchers);
485 handshaker.setUseCipherSuitesOrder(preferLocalCipherSuites);
486 } else {
487 handshaker = new ClientHandshaker(this, sslContext,
488 enabledProtocols,
489 protocolVersion, connectionState == cs_HANDSHAKE,
490 secureRenegotiation, clientVerifyData, serverVerifyData);
491 handshaker.setSNIServerNames(serverNames);
492 }
493 handshaker.setEnabledCipherSuites(enabledCipherSuites);
494 handshaker.setEnableSessionCreation(enableSessionCreation);
495 }
496
497 /*
498 * Report the current status of the Handshaker
499 */
500 private HandshakeStatus getHSStatus(HandshakeStatus hss) {
501
502 if (hss != null) {
503 return hss;
504 }
505
506 synchronized (this) {
507 if (writer.hasOutboundData()) {
508 return HandshakeStatus.NEED_WRAP;
509 } else if (handshaker != null) {
510 if (handshaker.taskOutstanding()) {
511 return HandshakeStatus.NEED_TASK;
512 } else {
513 return HandshakeStatus.NEED_UNWRAP;
514 }
515 } else if (connectionState == cs_CLOSED) {
516 /*
517 * Special case where we're closing, but
518 * still need the close_notify before we
519 * can officially be closed.
520 *
521 * Note isOutboundDone is taken care of by
522 * hasOutboundData() above.
523 */
524 if (!isInboundDone()) {
525 return HandshakeStatus.NEED_UNWRAP;
526 } // else not handshaking
527 }
528
529 return HandshakeStatus.NOT_HANDSHAKING;
530 }
531 }
532
533 synchronized private void checkTaskThrown() throws SSLException {
534 if (handshaker != null) {
535 handshaker.checkThrown();
536 }
537 }
538
539 //
540 // Handshaking and connection state code
541 //
542
543 /*
544 * Provides "this" synchronization for connection state.
545 * Otherwise, you can access it directly.
546 */
547 synchronized private int getConnectionState() {
548 return connectionState;
549 }
550
551 synchronized private void setConnectionState(int state) {
552 connectionState = state;
553 }
554
555 /*
556 * Get the Access Control Context.
557 *
558 * Used for a known context to
559 * run tasks in, and for determining which credentials
560 * to use for Subject-based (JAAS) decisions.
561 */
562 AccessControlContext getAcc() {
563 return acc;
564 }
565
566 /*
567 * Is a handshake currently underway?
568 */
569 @Override
570 public SSLEngineResult.HandshakeStatus getHandshakeStatus() {
571 return getHSStatus(null);
572 }
573
574 /*
575 * When a connection finishes handshaking by enabling use of a newly
576 * negotiated session, each end learns about it in two halves (read,
577 * and write). When both read and write ciphers have changed, and the
578 * last handshake message has been read, the connection has joined
579 * (rejoined) the new session.
580 *
581 * NOTE: The SSLv3 spec is rather unclear on the concepts here.
582 * Sessions don't change once they're established (including cipher
583 * suite and master secret) but connections can join them (and leave
584 * them). They're created by handshaking, though sometime handshaking
585 * causes connections to join up with pre-established sessions.
586 *
587 * Synchronized on "this" from readRecord.
588 */
589 private void changeReadCiphers() throws SSLException {
590 if (connectionState != cs_HANDSHAKE
591 && connectionState != cs_RENEGOTIATE) {
592 throw new SSLProtocolException(
593 "State error, change cipher specs");
594 }
595
596 // ... create decompressor
597
598 CipherBox oldCipher = readCipher;
599
600 try {
601 readCipher = handshaker.newReadCipher();
602 readAuthenticator = handshaker.newReadAuthenticator();
603 } catch (GeneralSecurityException e) {
604 // "can't happen"
605 throw new SSLException("Algorithm missing: ", e);
606 }
607
608 /*
609 * Dispose of any intermediate state in the underlying cipher.
610 * For PKCS11 ciphers, this will release any attached sessions,
611 * and thus make finalization faster.
612 *
613 * Since MAC's doFinal() is called for every SSL/TLS packet, it's
614 * not necessary to do the same with MAC's.
615 */
616 oldCipher.dispose();
617 }
618
619 /*
620 * used by Handshaker to change the active write cipher, follows
621 * the output of the CCS message.
622 *
623 * Also synchronized on "this" from readRecord/delegatedTask.
624 */
625 void changeWriteCiphers() throws SSLException {
626 if (connectionState != cs_HANDSHAKE
627 && connectionState != cs_RENEGOTIATE) {
628 throw new SSLProtocolException(
629 "State error, change cipher specs");
630 }
631
632 // ... create compressor
633
634 CipherBox oldCipher = writeCipher;
635
636 try {
637 writeCipher = handshaker.newWriteCipher();
638 writeAuthenticator = handshaker.newWriteAuthenticator();
639 } catch (GeneralSecurityException e) {
640 // "can't happen"
641 throw new SSLException("Algorithm missing: ", e);
642 }
643
644 // See comment above.
645 oldCipher.dispose();
646
647 // reset the flag of the first application record
648 isFirstAppOutputRecord = true;
649 }
650
651 /*
652 * Updates the SSL version associated with this connection.
653 * Called from Handshaker once it has determined the negotiated version.
654 */
655 synchronized void setVersion(ProtocolVersion protocolVersion) {
656 this.protocolVersion = protocolVersion;
657 outputRecord.setVersion(protocolVersion);
658 }
659
660
661 /**
662 * Kickstart the handshake if it is not already in progress.
663 * This means:
664 *
665 * . if handshaking is already underway, do nothing and return
666 *
667 * . if the engine is not connected or already closed, throw an
668 * Exception.
669 *
670 * . otherwise, call initHandshake() to initialize the handshaker
671 * object and progress the state. Then, send the initial
672 * handshaking message if appropriate (always on clients and
673 * on servers when renegotiating).
674 */
675 private synchronized void kickstartHandshake() throws IOException {
676 switch (connectionState) {
677
678 case cs_START:
679 if (!serverModeSet) {
680 throw new IllegalStateException(
681 "Client/Server mode not yet set.");
682 }
683 initHandshaker();
684 break;
685
686 case cs_HANDSHAKE:
687 // handshaker already setup, proceed
688 break;
689
690 case cs_DATA:
691 if (!secureRenegotiation && !Handshaker.allowUnsafeRenegotiation) {
692 throw new SSLHandshakeException(
693 "Insecure renegotiation is not allowed");
694 }
695
696 if (!secureRenegotiation) {
697 if (debug != null && Debug.isOn("handshake")) {
698 System.out.println(
699 "Warning: Using insecure renegotiation");
700 }
701 }
702
703 // initialize the handshaker, move to cs_RENEGOTIATE
704 initHandshaker();
705 break;
706
707 case cs_RENEGOTIATE:
708 // handshaking already in progress, return
709 return;
710
711 default:
712 // cs_ERROR/cs_CLOSED
713 throw new SSLException("SSLEngine is closing/closed");
714 }
715
716 //
717 // Kickstart handshake state machine if we need to ...
718 //
719 // Note that handshaker.kickstart() writes the message
720 // to its HandshakeOutStream, which calls back into
721 // SSLSocketImpl.writeRecord() to send it.
722 //
723 if (!handshaker.activated()) {
724 // prior to handshaking, activate the handshake
725 if (connectionState == cs_RENEGOTIATE) {
726 // don't use SSLv2Hello when renegotiating
727 handshaker.activate(protocolVersion);
728 } else {
729 handshaker.activate(null);
730 }
731
732 if (handshaker instanceof ClientHandshaker) {
733 // send client hello
734 handshaker.kickstart();
735 } else { // instanceof ServerHandshaker
736 if (connectionState == cs_HANDSHAKE) {
737 // initial handshake, no kickstart message to send
738 } else {
739 // we want to renegotiate, send hello request
740 handshaker.kickstart();
741
742 // hello request is not included in the handshake
743 // hashes, reset them
744 handshaker.handshakeHash.reset();
745 }
746 }
747 }
748 }
749
750 /*
751 * Start a SSLEngine handshake
752 */
753 @Override
754 public void beginHandshake() throws SSLException {
755 try {
756 kickstartHandshake();
757 } catch (Exception e) {
758 fatal(Alerts.alert_handshake_failure,
759 "Couldn't kickstart handshaking", e);
760 }
761 }
762
763
764 //
765 // Read/unwrap side
766 //
767
768
769 /**
770 * Unwraps a buffer. Does a variety of checks before grabbing
771 * the unwrapLock, which blocks multiple unwraps from occurring.
772 */
773 @Override
774 public SSLEngineResult unwrap(ByteBuffer netData, ByteBuffer [] appData,
775 int offset, int length) throws SSLException {
776
777 EngineArgs ea = new EngineArgs(netData, appData, offset, length);
778
779 try {
780 synchronized (unwrapLock) {
781 return readNetRecord(ea);
782 }
783 } catch (Exception e) {
784 /*
785 * Don't reset position so it looks like we didn't
786 * consume anything. We did consume something, and it
787 * got us into this situation, so report that much back.
788 * Our days of consuming are now over anyway.
789 */
790 fatal(Alerts.alert_internal_error,
791 "problem unwrapping net record", e);
792 return null; // make compiler happy
793 } finally {
794 /*
795 * Just in case something failed to reset limits properly.
796 */
797 ea.resetLim();
798 }
799 }
800
801 /*
802 * Makes additional checks for unwrap, but this time more
803 * specific to this packet and the current state of the machine.
804 */
805 private SSLEngineResult readNetRecord(EngineArgs ea) throws IOException {
806
807 Status status = null;
808 HandshakeStatus hsStatus = null;
809
810 /*
811 * See if the handshaker needs to report back some SSLException.
812 */
813 checkTaskThrown();
814
815 /*
816 * Check if we are closing/closed.
817 */
818 if (isInboundDone()) {
819 return new SSLEngineResult(Status.CLOSED, getHSStatus(null), 0, 0);
820 }
821
822 /*
823 * If we're still in cs_HANDSHAKE, make sure it's been
824 * started.
825 */
826 synchronized (this) {
827 if ((connectionState == cs_HANDSHAKE) ||
828 (connectionState == cs_START)) {
829 kickstartHandshake();
830
831 /*
832 * If there's still outbound data to flush, we
833 * can return without trying to unwrap anything.
834 */
835 hsStatus = getHSStatus(null);
836
837 if (hsStatus == HandshakeStatus.NEED_WRAP) {
838 return new SSLEngineResult(Status.OK, hsStatus, 0, 0);
839 }
840 }
841 }
842
843 /*
844 * Grab a copy of this if it doesn't already exist,
845 * and we can use it several places before anything major
846 * happens on this side. Races aren't critical
847 * here.
848 */
849 if (hsStatus == null) {
850 hsStatus = getHSStatus(null);
851 }
852
853 /*
854 * If we have a task outstanding, this *MUST* be done before
855 * doing any more unwrapping, because we could be in the middle
856 * of receiving a handshake message, for example, a finished
857 * message which would change the ciphers.
858 */
859 if (hsStatus == HandshakeStatus.NEED_TASK) {
860 return new SSLEngineResult(
861 Status.OK, hsStatus, 0, 0);
862 }
863
864 /*
865 * Check the packet to make sure enough is here.
866 * This will also indirectly check for 0 len packets.
867 */
868 int packetLen = inputRecord.bytesInCompletePacket(ea.netData);
869
870 // Is this packet bigger than SSL/TLS normally allows?
871 if (packetLen > sess.getPacketBufferSize()) {
872 if (packetLen > Record.maxLargeRecordSize) {
873 throw new SSLProtocolException(
874 "Input SSL/TLS record too big: max = " +
875 Record.maxLargeRecordSize +
876 " len = " + packetLen);
877 } else {
878 // Expand the expected maximum packet/application buffer
879 // sizes.
880 sess.expandBufferSizes();
881 }
882 }
883
884 /*
885 * Check for OVERFLOW.
886 *
887 * To be considered: We could delay enforcing the application buffer
888 * free space requirement until after the initial handshaking.
889 */
890 if ((packetLen - Record.headerSize) > ea.getAppRemaining()) {
891 return new SSLEngineResult(Status.BUFFER_OVERFLOW, hsStatus, 0, 0);
892 }
893
894 // check for UNDERFLOW.
895 if ((packetLen == -1) || (ea.netData.remaining() < packetLen)) {
896 return new SSLEngineResult(
897 Status.BUFFER_UNDERFLOW, hsStatus, 0, 0);
898 }
899
900 /*
901 * We're now ready to actually do the read.
902 * The only result code we really need to be exactly
903 * right is the HS finished, for signaling to
904 * HandshakeCompletedListeners.
905 */
906 try {
907 hsStatus = readRecord(ea);
908 } catch (SSLException e) {
909 throw e;
910 } catch (IOException e) {
911 throw new SSLException("readRecord", e);
912 }
913
914 /*
915 * Check the various condition that we could be reporting.
916 *
917 * It's *possible* something might have happened between the
918 * above and now, but it was better to minimally lock "this"
919 * during the read process. We'll return the current
920 * status, which is more representative of the current state.
921 *
922 * status above should cover: FINISHED, NEED_TASK
923 */
924 status = (isInboundDone() ? Status.CLOSED : Status.OK);
925 hsStatus = getHSStatus(hsStatus);
926
927 return new SSLEngineResult(status, hsStatus,
928 ea.deltaNet(), ea.deltaApp());
929 }
930
931 /*
932 * Actually do the read record processing.
933 *
934 * Returns a Status if it can make specific determinations
935 * of the engine state. In particular, we need to signal
936 * that a handshake just completed.
937 *
938 * It would be nice to be symmetrical with the write side and move
939 * the majority of this to EngineInputRecord, but there's too much
940 * SSLEngine state to do that cleanly. It must still live here.
941 */
942 private HandshakeStatus readRecord(EngineArgs ea) throws IOException {
943
944 HandshakeStatus hsStatus = null;
945
946 /*
947 * The various operations will return new sliced BB's,
948 * this will avoid having to worry about positions and
949 * limits in the netBB.
950 */
951 ByteBuffer readBB = null;
952 ByteBuffer decryptedBB = null;
953
954 if (getConnectionState() != cs_ERROR) {
955
956 /*
957 * Read a record ... maybe emitting an alert if we get a
958 * comprehensible but unsupported "hello" message during
959 * format checking (e.g. V2).
960 */
961 try {
962 readBB = inputRecord.read(ea.netData);
963 } catch (IOException e) {
964 fatal(Alerts.alert_unexpected_message, e);
965 }
966
967 /*
968 * The basic SSLv3 record protection involves (optional)
969 * encryption for privacy, and an integrity check ensuring
970 * data origin authentication. We do them both here, and
971 * throw a fatal alert if the integrity check fails.
972 */
973 try {
974 decryptedBB = inputRecord.decrypt(
975 readAuthenticator, readCipher, readBB);
976 } catch (BadPaddingException e) {
977 byte alertType = (inputRecord.contentType() ==
978 Record.ct_handshake) ?
979 Alerts.alert_handshake_failure :
980 Alerts.alert_bad_record_mac;
981 fatal(alertType, e.getMessage(), e);
982 }
983
984 // if (!inputRecord.decompress(c))
985 // fatal(Alerts.alert_decompression_failure,
986 // "decompression failure");
987
988
989 /*
990 * Process the record.
991 */
992
993 synchronized (this) {
994 switch (inputRecord.contentType()) {
995 case Record.ct_handshake:
996 /*
997 * Handshake messages always go to a pending session
998 * handshaker ... if there isn't one, create one. This
999 * must work asynchronously, for renegotiation.
1000 *
1001 * NOTE that handshaking will either resume a session
1002 * which was in the cache (and which might have other
1003 * connections in it already), or else will start a new
1004 * session (new keys exchanged) with just this connection
1005 * in it.
1006 */
1007 initHandshaker();
1008 if (!handshaker.activated()) {
1009 // prior to handshaking, activate the handshake
1010 if (connectionState == cs_RENEGOTIATE) {
1011 // don't use SSLv2Hello when renegotiating
1012 handshaker.activate(protocolVersion);
1013 } else {
1014 handshaker.activate(null);
1015 }
1016 }
1017
1018 /*
1019 * process the handshake record ... may contain just
1020 * a partial handshake message or multiple messages.
1021 *
1022 * The handshaker state machine will ensure that it's
1023 * a finished message.
1024 */
1025 handshaker.process_record(inputRecord, expectingFinished);
1026 expectingFinished = false;
1027
1028 if (handshaker.invalidated) {
1029 handshaker = null;
1030 receivedCCS = false;
1031 // if state is cs_RENEGOTIATE, revert it to cs_DATA
1032 if (connectionState == cs_RENEGOTIATE) {
1033 connectionState = cs_DATA;
1034 }
1035 } else if (handshaker.isDone()) {
1036 // reset the parameters for secure renegotiation.
1037 secureRenegotiation =
1038 handshaker.isSecureRenegotiation();
1039 clientVerifyData = handshaker.getClientVerifyData();
1040 serverVerifyData = handshaker.getServerVerifyData();
1041
1042 sess = handshaker.getSession();
1043 handshakeSession = null;
1044 if (!writer.hasOutboundData()) {
1045 hsStatus = HandshakeStatus.FINISHED;
1046 }
1047 handshaker = null;
1048 connectionState = cs_DATA;
1049 receivedCCS = false;
1050
1051 // No handshakeListeners here. That's a
1052 // SSLSocket thing.
1053 } else if (handshaker.taskOutstanding()) {
1054 hsStatus = HandshakeStatus.NEED_TASK;
1055 }
1056 break;
1057
1058 case Record.ct_application_data:
1059 // Pass this right back up to the application.
1060 if ((connectionState != cs_DATA)
1061 && (connectionState != cs_RENEGOTIATE)
1062 && (connectionState != cs_CLOSED)) {
1063 throw new SSLProtocolException(
1064 "Data received in non-data state: " +
1065 connectionState);
1066 }
1067
1068 if (expectingFinished) {
1069 throw new SSLProtocolException
1070 ("Expecting finished message, received data");
1071 }
1072
1073 /*
1074 * Don't return data once the inbound side is
1075 * closed.
1076 */
1077 if (!inboundDone) {
1078 ea.scatter(decryptedBB.slice());
1079 }
1080 break;
1081
1082 case Record.ct_alert:
1083 recvAlert();
1084 break;
1085
1086 case Record.ct_change_cipher_spec:
1087 if ((connectionState != cs_HANDSHAKE
1088 && connectionState != cs_RENEGOTIATE)
1089 || !handshaker.sessionKeysCalculated()
1090 || receivedCCS) {
1091 // For the CCS message arriving in the wrong state
1092 fatal(Alerts.alert_unexpected_message,
1093 "illegal change cipher spec msg, conn state = "
1094 + connectionState + ", handshake state = "
1095 + handshaker.state);
1096 } else if (inputRecord.available() != 1
1097 || inputRecord.read() != 1) {
1098 // For structural/content issues with the CCS
1099 fatal(Alerts.alert_unexpected_message,
1100 "Malformed change cipher spec msg");
1101 }
1102
1103 // Once we've received CCS, update the flag.
1104 // If the remote endpoint sends it again in this handshake
1105 // we won't process it.
1106 receivedCCS = true;
1107
1108 //
1109 // The first message after a change_cipher_spec
1110 // record MUST be a "Finished" handshake record,
1111 // else it's a protocol violation. We force this
1112 // to be checked by a minor tweak to the state
1113 // machine.
1114 //
1115 changeReadCiphers();
1116 // next message MUST be a finished message
1117 expectingFinished = true;
1118 break;
1119
1120 default:
1121 //
1122 // TLS requires that unrecognized records be ignored.
1123 //
1124 if (debug != null && Debug.isOn("ssl")) {
1125 System.out.println(Thread.currentThread().getName() +
1126 ", Received record type: "
1127 + inputRecord.contentType());
1128 }
1129 break;
1130 } // switch
1131
1132 /*
1133 * We only need to check the sequence number state for
1134 * non-handshaking record.
1135 *
1136 * Note that in order to maintain the handshake status
1137 * properly, we check the sequence number after the last
1138 * record reading process. As we request renegotiation
1139 * or close the connection for wrapped sequence number
1140 * when there is enough sequence number space left to
1141 * handle a few more records, so the sequence number
1142 * of the last record cannot be wrapped.
1143 */
1144 hsStatus = getHSStatus(hsStatus);
1145 if (connectionState < cs_ERROR && !isInboundDone() &&
1146 (hsStatus == HandshakeStatus.NOT_HANDSHAKING)) {
1147 if (checkSequenceNumber(readAuthenticator,
1148 inputRecord.contentType())) {
1149 hsStatus = getHSStatus(null);
1150 }
1151 }
1152 } // synchronized (this)
1153 }
1154
1155 return hsStatus;
1156 }
1157
1158
1159 //
1160 // write/wrap side
1161 //
1162
1163
1164 /**
1165 * Wraps a buffer. Does a variety of checks before grabbing
1166 * the wrapLock, which blocks multiple wraps from occurring.
1167 */
1168 @Override
1169 public SSLEngineResult wrap(ByteBuffer [] appData,
1170 int offset, int length, ByteBuffer netData) throws SSLException {
1171
1172 EngineArgs ea = new EngineArgs(appData, offset, length, netData);
1173
1174 /*
1175 * We can be smarter about using smaller buffer sizes later.
1176 * For now, force it to be large enough to handle any
1177 * valid SSL/TLS record.
1178 */
1179 if (netData.remaining() < EngineOutputRecord.maxRecordSize) {
1180 return new SSLEngineResult(
1181 Status.BUFFER_OVERFLOW, getHSStatus(null), 0, 0);
1182 }
1183
1184 try {
1185 synchronized (wrapLock) {
1186 return writeAppRecord(ea);
1187 }
1188 } catch (Exception e) {
1189 ea.resetPos();
1190
1191 fatal(Alerts.alert_internal_error,
1192 "problem wrapping app data", e);
1193 return null; // make compiler happy
1194 } finally {
1195 /*
1196 * Just in case something didn't reset limits properly.
1197 */
1198 ea.resetLim();
1199 }
1200 }
1201
1202 /*
1203 * Makes additional checks for unwrap, but this time more
1204 * specific to this packet and the current state of the machine.
1205 */
1206 private SSLEngineResult writeAppRecord(EngineArgs ea) throws IOException {
1207
1208 Status status = null;
1209 HandshakeStatus hsStatus = null;
1210
1211 /*
1212 * See if the handshaker needs to report back some SSLException.
1213 */
1214 checkTaskThrown();
1215
1216 /*
1217 * short circuit if we're closed/closing.
1218 */
1219 if (writer.isOutboundDone()) {
1220 return new SSLEngineResult(Status.CLOSED, getHSStatus(null), 0, 0);
1221 }
1222
1223 /*
1224 * If we're still in cs_HANDSHAKE, make sure it's been
1225 * started.
1226 */
1227 synchronized (this) {
1228 if ((connectionState == cs_HANDSHAKE) ||
1229 (connectionState == cs_START)) {
1230 kickstartHandshake();
1231
1232 /*
1233 * If there's no HS data available to write, we can return
1234 * without trying to wrap anything.
1235 */
1236 hsStatus = getHSStatus(null);
1237
1238 if (hsStatus == HandshakeStatus.NEED_UNWRAP) {
1239 return new SSLEngineResult(Status.OK, hsStatus, 0, 0);
1240 }
1241 }
1242 }
1243
1244 /*
1245 * Grab a copy of this if it doesn't already exist,
1246 * and we can use it several places before anything major
1247 * happens on this side. Races aren't critical
1248 * here.
1249 */
1250 if (hsStatus == null) {
1251 hsStatus = getHSStatus(null);
1252 }
1253
1254 /*
1255 * If we have a task outstanding, this *MUST* be done before
1256 * doing any more wrapping, because we could be in the middle
1257 * of receiving a handshake message, for example, a finished
1258 * message which would change the ciphers.
1259 */
1260 if (hsStatus == HandshakeStatus.NEED_TASK) {
1261 return new SSLEngineResult(
1262 Status.OK, hsStatus, 0, 0);
1263 }
1264
1265 /*
1266 * This will obtain any waiting outbound data, or will
1267 * process the outbound appData.
1268 */
1269 try {
1270 synchronized (writeLock) {
1271 hsStatus = writeRecord(outputRecord, ea);
1272 }
1273 } catch (SSLException e) {
1274 throw e;
1275 } catch (IOException e) {
1276 throw new SSLException("Write problems", e);
1277 }
1278
1279 /*
1280 * writeRecord might have reported some status.
1281 * Now check for the remaining cases.
1282 *
1283 * status above should cover: NEED_WRAP/FINISHED
1284 */
1285 status = (isOutboundDone() ? Status.CLOSED : Status.OK);
1286 hsStatus = getHSStatus(hsStatus);
1287
1288 return new SSLEngineResult(status, hsStatus,
1289 ea.deltaApp(), ea.deltaNet());
1290 }
1291
1292 /*
1293 * Central point to write/get all of the outgoing data.
1294 */
1295 private HandshakeStatus writeRecord(EngineOutputRecord eor,
1296 EngineArgs ea) throws IOException {
1297
1298 // eventually compress as well.
1299 HandshakeStatus hsStatus =
1300 writer.writeRecord(eor, ea, writeAuthenticator, writeCipher);
1301
1302 /*
1303 * We only need to check the sequence number state for
1304 * non-handshaking record.
1305 *
1306 * Note that in order to maintain the handshake status
1307 * properly, we check the sequence number after the last
1308 * record writing process. As we request renegotiation
1309 * or close the connection for wrapped sequence number
1310 * when there is enough sequence number space left to
1311 * handle a few more records, so the sequence number
1312 * of the last record cannot be wrapped.
1313 */
1314 hsStatus = getHSStatus(hsStatus);
1315 if (connectionState < cs_ERROR && !isOutboundDone() &&
1316 (hsStatus == HandshakeStatus.NOT_HANDSHAKING)) {
1317 if (checkSequenceNumber(writeAuthenticator, eor.contentType())) {
1318 hsStatus = getHSStatus(null);
1319 }
1320 }
1321
1322 /*
1323 * turn off the flag of the first application record if we really
1324 * consumed at least byte.
1325 */
1326 if (isFirstAppOutputRecord && ea.deltaApp() > 0) {
1327 isFirstAppOutputRecord = false;
1328 }
1329
1330 return hsStatus;
1331 }
1332
1333 /*
1334 * Need to split the payload except the following cases:
1335 *
1336 * 1. protocol version is TLS 1.1 or later;
1337 * 2. bulk cipher does not use CBC mode, including null bulk cipher suites.
1338 * 3. the payload is the first application record of a freshly
1339 * negotiated TLS session.
1340 * 4. the CBC protection is disabled;
1341 *
1342 * More details, please refer to
1343 * EngineOutputRecord.write(EngineArgs, MAC, CipherBox).
1344 */
1345 boolean needToSplitPayload(CipherBox cipher, ProtocolVersion protocol) {
1346 return (protocol.v <= ProtocolVersion.TLS10.v) &&
1347 cipher.isCBCMode() && !isFirstAppOutputRecord &&
1348 Record.enableCBCProtection;
1349 }
1350
1351 /*
1352 * Non-application OutputRecords go through here.
1353 */
1354 void writeRecord(EngineOutputRecord eor) throws IOException {
1355 // eventually compress as well.
1356 writer.writeRecord(eor, writeAuthenticator, writeCipher);
1357
1358 /*
1359 * Check the sequence number state
1360 *
1361 * Note that in order to maintain the connection I/O
1362 * properly, we check the sequence number after the last
1363 * record writing process. As we request renegotiation
1364 * or close the connection for wrapped sequence number
1365 * when there is enough sequence number space left to
1366 * handle a few more records, so the sequence number
1367 * of the last record cannot be wrapped.
1368 */
1369 if ((connectionState < cs_ERROR) && !isOutboundDone()) {
1370 checkSequenceNumber(writeAuthenticator, eor.contentType());
1371 }
1372 }
1373
1374 //
1375 // Close code
1376 //
1377
1378 /**
1379 * Check the sequence number state
1380 *
1381 * RFC 4346 states that, "Sequence numbers are of type uint64 and
1382 * may not exceed 2^64-1. Sequence numbers do not wrap. If a TLS
1383 * implementation would need to wrap a sequence number, it must
1384 * renegotiate instead."
1385 *
1386 * Return true if the handshake status may be changed.
1387 */
1388 private boolean checkSequenceNumber(Authenticator authenticator, byte type)
1389 throws IOException {
1390
1391 /*
1392 * Don't bother to check the sequence number for error or
1393 * closed connections, or NULL MAC
1394 */
1395 if (connectionState >= cs_ERROR || authenticator == MAC.NULL) {
1396 return false;
1397 }
1398
1399 /*
1400 * Conservatively, close the connection immediately when the
1401 * sequence number is close to overflow
1402 */
1403 if (authenticator.seqNumOverflow()) {
1404 /*
1405 * TLS protocols do not define a error alert for sequence
1406 * number overflow. We use handshake_failure error alert
1407 * for handshaking and bad_record_mac for other records.
1408 */
1409 if (debug != null && Debug.isOn("ssl")) {
1410 System.out.println(Thread.currentThread().getName() +
1411 ", sequence number extremely close to overflow " +
1412 "(2^64-1 packets). Closing connection.");
1413 }
1414
1415 fatal(Alerts.alert_handshake_failure, "sequence number overflow");
1416
1417 return true; // make the compiler happy
1418 }
1419
1420 /*
1421 * Ask for renegotiation when need to renew sequence number.
1422 *
1423 * Don't bother to kickstart the renegotiation when the local is
1424 * asking for it.
1425 */
1426 if ((type != Record.ct_handshake) && authenticator.seqNumIsHuge()) {
1427 if (debug != null && Debug.isOn("ssl")) {
1428 System.out.println(Thread.currentThread().getName() +
1429 ", request renegotiation " +
1430 "to avoid sequence number overflow");
1431 }
1432
1433 beginHandshake();
1434 return true;
1435 }
1436
1437 return false;
1438 }
1439
1440 /**
1441 * Signals that no more outbound application data will be sent
1442 * on this <code>SSLEngine</code>.
1443 */
1444 private void closeOutboundInternal() {
1445
1446 if ((debug != null) && Debug.isOn("ssl")) {
1447 System.out.println(Thread.currentThread().getName() +
1448 ", closeOutboundInternal()");
1449 }
1450
1451 /*
1452 * Already closed, ignore
1453 */
1454 if (writer.isOutboundDone()) {
1455 return;
1456 }
1457
1458 switch (connectionState) {
1459
1460 /*
1461 * If we haven't even started yet, don't bother reading inbound.
1462 */
1463 case cs_START:
1464 writer.closeOutbound();
1465 inboundDone = true;
1466 break;
1467
1468 case cs_ERROR:
1469 case cs_CLOSED:
1470 break;
1471
1472 /*
1473 * Otherwise we indicate clean termination.
1474 */
1475 // case cs_HANDSHAKE:
1476 // case cs_DATA:
1477 // case cs_RENEGOTIATE:
1478 default:
1479 warning(Alerts.alert_close_notify);
1480 writer.closeOutbound();
1481 break;
1482 }
1483
1484 // See comment in changeReadCiphers()
1485 writeCipher.dispose();
1486
1487 connectionState = cs_CLOSED;
1488 }
1489
1490 @Override
1491 synchronized public void closeOutbound() {
1492 /*
1493 * Dump out a close_notify to the remote side
1494 */
1495 if ((debug != null) && Debug.isOn("ssl")) {
1496 System.out.println(Thread.currentThread().getName() +
1497 ", called closeOutbound()");
1498 }
1499
1500 closeOutboundInternal();
1501 }
1502
1503 /**
1504 * Returns the outbound application data closure state
1505 */
1506 @Override
1507 public boolean isOutboundDone() {
1508 return writer.isOutboundDone();
1509 }
1510
1511 /**
1512 * Signals that no more inbound network data will be sent
1513 * to this <code>SSLEngine</code>.
1514 */
1515 private void closeInboundInternal() {
1516
1517 if ((debug != null) && Debug.isOn("ssl")) {
1518 System.out.println(Thread.currentThread().getName() +
1519 ", closeInboundInternal()");
1520 }
1521
1522 /*
1523 * Already closed, ignore
1524 */
1525 if (inboundDone) {
1526 return;
1527 }
1528
1529 closeOutboundInternal();
1530 inboundDone = true;
1531
1532 // See comment in changeReadCiphers()
1533 readCipher.dispose();
1534
1535 connectionState = cs_CLOSED;
1536 }
1537
1538 /*
1539 * Close the inbound side of the connection. We grab the
1540 * lock here, and do the real work in the internal verison.
1541 * We do check for truncation attacks.
1542 */
1543 @Override
1544 synchronized public void closeInbound() throws SSLException {
1545 /*
1546 * Currently closes the outbound side as well. The IETF TLS
1547 * working group has expressed the opinion that 1/2 open
1548 * connections are not allowed by the spec. May change
1549 * someday in the future.
1550 */
1551 if ((debug != null) && Debug.isOn("ssl")) {
1552 System.out.println(Thread.currentThread().getName() +
1553 ", called closeInbound()");
1554 }
1555
1556 /*
1557 * No need to throw an Exception if we haven't even started yet.
1558 */
1559 if ((connectionState != cs_START) && !recvCN) {
1560 recvCN = true; // Only receive the Exception once
1561 fatal(Alerts.alert_internal_error,
1562 "Inbound closed before receiving peer's close_notify: " +
1563 "possible truncation attack?");
1564 } else {
1565 /*
1566 * Currently, this is a no-op, but in case we change
1567 * the close inbound code later.
1568 */
1569 closeInboundInternal();
1570 }
1571 }
1572
1573 /**
1574 * Returns the network inbound data closure state
1575 */
1576 @Override
1577 synchronized public boolean isInboundDone() {
1578 return inboundDone;
1579 }
1580
1581
1582 //
1583 // Misc stuff
1584 //
1585
1586
1587 /**
1588 * Returns the current <code>SSLSession</code> for this
1589 * <code>SSLEngine</code>
1590 * <P>
1591 * These can be long lived, and frequently correspond to an
1592 * entire login session for some user.
1593 */
1594 @Override
1595 synchronized public SSLSession getSession() {
1596 return sess;
1597 }
1598
1599 @Override
1600 synchronized public SSLSession getHandshakeSession() {
1601 return handshakeSession;
1602 }
1603
1604 synchronized void setHandshakeSession(SSLSessionImpl session) {
1605 handshakeSession = session;
1606 }
1607
1608 /**
1609 * Returns a delegated <code>Runnable</code> task for
1610 * this <code>SSLEngine</code>.
1611 */
1612 @Override
1613 synchronized public Runnable getDelegatedTask() {
1614 if (handshaker != null) {
1615 return handshaker.getTask();
1616 }
1617 return null;
1618 }
1619
1620
1621 //
1622 // EXCEPTION AND ALERT HANDLING
1623 //
1624
1625 /*
1626 * Send a warning alert.
1627 */
1628 void warning(byte description) {
1629 sendAlert(Alerts.alert_warning, description);
1630 }
1631
1632 synchronized void fatal(byte description, String diagnostic)
1633 throws SSLException {
1634 fatal(description, diagnostic, null);
1635 }
1636
1637 synchronized void fatal(byte description, Throwable cause)
1638 throws SSLException {
1639 fatal(description, null, cause);
1640 }
1641
1642 /*
1643 * We've got a fatal error here, so start the shutdown process.
1644 *
1645 * Because of the way the code was written, we have some code
1646 * calling fatal directly when the "description" is known
1647 * and some throwing Exceptions which are then caught by higher
1648 * levels which then call here. This code needs to determine
1649 * if one of the lower levels has already started the process.
1650 *
1651 * We won't worry about Error's, if we have one of those,
1652 * we're in worse trouble. Note: the networking code doesn't
1653 * deal with Errors either.
1654 */
1655 synchronized void fatal(byte description, String diagnostic,
1656 Throwable cause) throws SSLException {
1657
1658 /*
1659 * If we have no further information, make a general-purpose
1660 * message for folks to see. We generally have one or the other.
1661 */
1662 if (diagnostic == null) {
1663 diagnostic = "General SSLEngine problem";
1664 }
1665 if (cause == null) {
1666 cause = Alerts.getSSLException(description, cause, diagnostic);
1667 }
1668
1669 /*
1670 * If we've already shutdown because of an error,
1671 * there is nothing we can do except rethrow the exception.
1672 *
1673 * Most exceptions seen here will be SSLExceptions.
1674 * We may find the occasional Exception which hasn't been
1675 * converted to a SSLException, so we'll do it here.
1676 */
1677 if (closeReason != null) {
1678 if ((debug != null) && Debug.isOn("ssl")) {
1679 System.out.println(Thread.currentThread().getName() +
1680 ", fatal: engine already closed. Rethrowing " +
1681 cause.toString());
1682 }
1683 if (cause instanceof RuntimeException) {
1684 throw (RuntimeException)cause;
1685 } else if (cause instanceof SSLException) {
1686 throw (SSLException)cause;
1687 } else if (cause instanceof Exception) {
1688 throw new SSLException("fatal SSLEngine condition", cause);
1689 }
1690 }
1691
1692 if ((debug != null) && Debug.isOn("ssl")) {
1693 System.out.println(Thread.currentThread().getName()
1694 + ", fatal error: " + description +
1695 ": " + diagnostic + "\n" + cause.toString());
1696 }
1697
1698 /*
1699 * Ok, this engine's going down.
1700 */
1701 int oldState = connectionState;
1702 connectionState = cs_ERROR;
1703
1704 inboundDone = true;
1705
1706 sess.invalidate();
1707 if (handshakeSession != null) {
1708 handshakeSession.invalidate();
1709 }
1710
1711 /*
1712 * If we haven't even started handshaking yet, no need
1713 * to generate the fatal close alert.
1714 */
1715 if (oldState != cs_START) {
1716 sendAlert(Alerts.alert_fatal, description);
1717 }
1718
1719 if (cause instanceof SSLException) { // only true if != null
1720 closeReason = (SSLException)cause;
1721 } else {
1722 /*
1723 * Including RuntimeExceptions, but we'll throw those
1724 * down below. The closeReason isn't used again,
1725 * except for null checks.
1726 */
1727 closeReason =
1728 Alerts.getSSLException(description, cause, diagnostic);
1729 }
1730
1731 writer.closeOutbound();
1732
1733 connectionState = cs_CLOSED;
1734
1735 // See comment in changeReadCiphers()
1736 readCipher.dispose();
1737 writeCipher.dispose();
1738
1739 if (cause instanceof RuntimeException) {
1740 throw (RuntimeException)cause;
1741 } else {
1742 throw closeReason;
1743 }
1744 }
1745
1746 /*
1747 * Process an incoming alert ... caller must already have synchronized
1748 * access to "this".
1749 */
1750 private void recvAlert() throws IOException {
1751 byte level = (byte)inputRecord.read();
1752 byte description = (byte)inputRecord.read();
1753 if (description == -1) { // check for short message
1754 fatal(Alerts.alert_illegal_parameter, "Short alert message");
1755 }
1756
1757 if (debug != null && (Debug.isOn("record") ||
1758 Debug.isOn("handshake"))) {
1759 synchronized (System.out) {
1760 System.out.print(Thread.currentThread().getName());
1761 System.out.print(", RECV " + protocolVersion + " ALERT: ");
1762 if (level == Alerts.alert_fatal) {
1763 System.out.print("fatal, ");
1764 } else if (level == Alerts.alert_warning) {
1765 System.out.print("warning, ");
1766 } else {
1767 System.out.print("<level " + (0x0ff & level) + ">, ");
1768 }
1769 System.out.println(Alerts.alertDescription(description));
1770 }
1771 }
1772
1773 if (level == Alerts.alert_warning) {
1774 if (description == Alerts.alert_close_notify) {
1775 if (connectionState == cs_HANDSHAKE) {
1776 fatal(Alerts.alert_unexpected_message,
1777 "Received close_notify during handshake");
1778 } else {
1779 recvCN = true;
1780 closeInboundInternal(); // reply to close
1781 }
1782 } else {
1783
1784 //
1785 // The other legal warnings relate to certificates,
1786 // e.g. no_certificate, bad_certificate, etc; these
1787 // are important to the handshaking code, which can
1788 // also handle illegal protocol alerts if needed.
1789 //
1790 if (handshaker != null) {
1791 handshaker.handshakeAlert(description);
1792 }
1793 }
1794 } else { // fatal or unknown level
1795 String reason = "Received fatal alert: "
1796 + Alerts.alertDescription(description);
1797 if (closeReason == null) {
1798 closeReason = Alerts.getSSLException(description, reason);
1799 }
1800 fatal(Alerts.alert_unexpected_message, reason);
1801 }
1802 }
1803
1804
1805 /*
1806 * Emit alerts. Caller must have synchronized with "this".
1807 */
1808 private void sendAlert(byte level, byte description) {
1809 // the connectionState cannot be cs_START
1810 if (connectionState >= cs_CLOSED) {
1811 return;
1812 }
1813
1814 // For initial handshaking, don't send alert message to peer if
1815 // handshaker has not started.
1816 if (connectionState == cs_HANDSHAKE &&
1817 (handshaker == null || !handshaker.started())) {
1818 return;
1819 }
1820
1821 EngineOutputRecord r = new EngineOutputRecord(Record.ct_alert, this);
1822 r.setVersion(protocolVersion);
1823
1824 boolean useDebug = debug != null && Debug.isOn("ssl");
1825 if (useDebug) {
1826 synchronized (System.out) {
1827 System.out.print(Thread.currentThread().getName());
1828 System.out.print(", SEND " + protocolVersion + " ALERT: ");
1829 if (level == Alerts.alert_fatal) {
1830 System.out.print("fatal, ");
1831 } else if (level == Alerts.alert_warning) {
1832 System.out.print("warning, ");
1833 } else {
1834 System.out.print("<level = " + (0x0ff & level) + ">, ");
1835 }
1836 System.out.println("description = "
1837 + Alerts.alertDescription(description));
1838 }
1839 }
1840
1841 r.write(level);
1842 r.write(description);
1843 try {
1844 writeRecord(r);
1845 } catch (IOException e) {
1846 if (useDebug) {
1847 System.out.println(Thread.currentThread().getName() +
1848 ", Exception sending alert: " + e);
1849 }
1850 }
1851 }
1852
1853
1854 //
1855 // VARIOUS OTHER METHODS (COMMON TO SSLSocket)
1856 //
1857
1858
1859 /**
1860 * Controls whether new connections may cause creation of new SSL
1861 * sessions.
1862 *
1863 * As long as handshaking has not started, we can change
1864 * whether we enable session creations. Otherwise,
1865 * we will need to wait for the next handshake.
1866 */
1867 @Override
1868 synchronized public void setEnableSessionCreation(boolean flag) {
1869 enableSessionCreation = flag;
1870
1871 if ((handshaker != null) && !handshaker.activated()) {
1872 handshaker.setEnableSessionCreation(enableSessionCreation);
1873 }
1874 }
1875
1876 /**
1877 * Returns true if new connections may cause creation of new SSL
1878 * sessions.
1879 */
1880 @Override
1881 synchronized public boolean getEnableSessionCreation() {
1882 return enableSessionCreation;
1883 }
1884
1885
1886 /**
1887 * Sets the flag controlling whether a server mode engine
1888 * *REQUIRES* SSL client authentication.
1889 *
1890 * As long as handshaking has not started, we can change
1891 * whether client authentication is needed. Otherwise,
1892 * we will need to wait for the next handshake.
1893 */
1894 @Override
1895 synchronized public void setNeedClientAuth(boolean flag) {
1896 doClientAuth = (flag ?
1897 SSLEngineImpl.clauth_required : SSLEngineImpl.clauth_none);
1898
1899 if ((handshaker != null) &&
1900 (handshaker instanceof ServerHandshaker) &&
1901 !handshaker.activated()) {
1902 ((ServerHandshaker) handshaker).setClientAuth(doClientAuth);
1903 }
1904 }
1905
1906 @Override
1907 synchronized public boolean getNeedClientAuth() {
1908 return (doClientAuth == SSLEngineImpl.clauth_required);
1909 }
1910
1911 /**
1912 * Sets the flag controlling whether a server mode engine
1913 * *REQUESTS* SSL client authentication.
1914 *
1915 * As long as handshaking has not started, we can change
1916 * whether client authentication is requested. Otherwise,
1917 * we will need to wait for the next handshake.
1918 */
1919 @Override
1920 synchronized public void setWantClientAuth(boolean flag) {
1921 doClientAuth = (flag ?
1922 SSLEngineImpl.clauth_requested : SSLEngineImpl.clauth_none);
1923
1924 if ((handshaker != null) &&
1925 (handshaker instanceof ServerHandshaker) &&
1926 !handshaker.activated()) {
1927 ((ServerHandshaker) handshaker).setClientAuth(doClientAuth);
1928 }
1929 }
1930
1931 @Override
1932 synchronized public boolean getWantClientAuth() {
1933 return (doClientAuth == SSLEngineImpl.clauth_requested);
1934 }
1935
1936
1937 /**
1938 * Sets the flag controlling whether the engine is in SSL
1939 * client or server mode. Must be called before any SSL
1940 * traffic has started.
1941 */
1942 @Override
1943 @SuppressWarnings("fallthrough")
1944 synchronized public void setUseClientMode(boolean flag) {
1945 switch (connectionState) {
1946
1947 case cs_START:
1948 /*
1949 * If we need to change the engine mode and the enabled
1950 * protocols haven't specifically been set by the user,
1951 * change them to the corresponding default ones.
1952 */
1953 if (roleIsServer != (!flag) &&
1954 sslContext.isDefaultProtocolList(enabledProtocols)) {
1955 enabledProtocols = sslContext.getDefaultProtocolList(!flag);
1956 }
1957
1958 roleIsServer = !flag;
1959 serverModeSet = true;
1960 break;
1961
1962 case cs_HANDSHAKE:
1963 /*
1964 * If we have a handshaker, but haven't started
1965 * SSL traffic, we can throw away our current
1966 * handshaker, and start from scratch. Don't
1967 * need to call doneConnect() again, we already
1968 * have the streams.
1969 */
1970 assert(handshaker != null);
1971 if (!handshaker.activated()) {
1972 /*
1973 * If we need to change the engine mode and the enabled
1974 * protocols haven't specifically been set by the user,
1975 * change them to the corresponding default ones.
1976 */
1977 if (roleIsServer != (!flag) &&
1978 sslContext.isDefaultProtocolList(enabledProtocols)) {
1979 enabledProtocols = sslContext.getDefaultProtocolList(!flag);
1980 }
1981
1982 roleIsServer = !flag;
1983 connectionState = cs_START;
1984 initHandshaker();
1985 break;
1986 }
1987
1988 // If handshake has started, that's an error. Fall through...
1989
1990 default:
1991 if (debug != null && Debug.isOn("ssl")) {
1992 System.out.println(Thread.currentThread().getName() +
1993 ", setUseClientMode() invoked in state = " +
1994 connectionState);
1995 }
1996
1997 /*
1998 * We can let them continue if they catch this correctly,
1999 * we don't need to shut this down.
2000 */
2001 throw new IllegalArgumentException(
2002 "Cannot change mode after SSL traffic has started");
2003 }
2004 }
2005
2006 @Override
2007 synchronized public boolean getUseClientMode() {
2008 return !roleIsServer;
2009 }
2010
2011
2012 /**
2013 * Returns the names of the cipher suites which could be enabled for use
2014 * on an SSL connection. Normally, only a subset of these will actually
2015 * be enabled by default, since this list may include cipher suites which
2016 * do not support the mutual authentication of servers and clients, or
2017 * which do not protect data confidentiality. Servers may also need
2018 * certain kinds of certificates to use certain cipher suites.
2019 *
2020 * @return an array of cipher suite names
2021 */
2022 @Override
2023 public String[] getSupportedCipherSuites() {
2024 return sslContext.getSupportedCipherSuiteList().toStringArray();
2025 }
2026
2027 /**
2028 * Controls which particular cipher suites are enabled for use on
2029 * this connection. The cipher suites must have been listed by
2030 * getCipherSuites() as being supported. Even if a suite has been
2031 * enabled, it might never be used if no peer supports it or the
2032 * requisite certificates (and private keys) are not available.
2033 *
2034 * @param suites Names of all the cipher suites to enable.
2035 */
2036 @Override
2037 synchronized public void setEnabledCipherSuites(String[] suites) {
2038 enabledCipherSuites = new CipherSuiteList(suites);
2039 if ((handshaker != null) && !handshaker.activated()) {
2040 handshaker.setEnabledCipherSuites(enabledCipherSuites);
2041 }
2042 }
2043
2044 /**
2045 * Returns the names of the SSL cipher suites which are currently enabled
2046 * for use on this connection. When an SSL engine is first created,
2047 * all enabled cipher suites <em>(a)</em> protect data confidentiality,
2048 * by traffic encryption, and <em>(b)</em> can mutually authenticate
2049 * both clients and servers. Thus, in some environments, this value
2050 * might be empty.
2051 *
2052 * @return an array of cipher suite names
2053 */
2054 @Override
2055 synchronized public String[] getEnabledCipherSuites() {
2056 return enabledCipherSuites.toStringArray();
2057 }
2058
2059
2060 /**
2061 * Returns the protocols that are supported by this implementation.
2062 * A subset of the supported protocols may be enabled for this connection
2063 * @return an array of protocol names.
2064 */
2065 @Override
2066 public String[] getSupportedProtocols() {
2067 return sslContext.getSuportedProtocolList().toStringArray();
2068 }
2069
2070 /**
2071 * Controls which protocols are enabled for use on
2072 * this connection. The protocols must have been listed by
2073 * getSupportedProtocols() as being supported.
2074 *
2075 * @param protocols protocols to enable.
2076 * @exception IllegalArgumentException when one of the protocols
2077 * named by the parameter is not supported.
2078 */
2079 @Override
2080 synchronized public void setEnabledProtocols(String[] protocols) {
2081 enabledProtocols = new ProtocolList(protocols);
2082 if ((handshaker != null) && !handshaker.activated()) {
2083 handshaker.setEnabledProtocols(enabledProtocols);
2084 }
2085 }
2086
2087 @Override
2088 synchronized public String[] getEnabledProtocols() {
2089 return enabledProtocols.toStringArray();
2090 }
2091
2092 /**
2093 * Returns the SSLParameters in effect for this SSLEngine.
2094 */
2095 @Override
2096 synchronized public SSLParameters getSSLParameters() {
2097 SSLParameters params = super.getSSLParameters();
2098
2099 // the super implementation does not handle the following parameters
2100 params.setEndpointIdentificationAlgorithm(identificationProtocol);
2101 params.setAlgorithmConstraints(algorithmConstraints);
2102 params.setSNIMatchers(sniMatchers);
2103 params.setServerNames(serverNames);
2104 params.setUseCipherSuitesOrder(preferLocalCipherSuites);
2105
2106 return params;
2107 }
2108
2109 /**
2110 * Applies SSLParameters to this engine.
2111 */
2112 @Override
2113 synchronized public void setSSLParameters(SSLParameters params) {
2114 super.setSSLParameters(params);
2115
2116 // the super implementation does not handle the following parameters
2117 identificationProtocol = params.getEndpointIdentificationAlgorithm();
2118 algorithmConstraints = params.getAlgorithmConstraints();
2119 preferLocalCipherSuites = params.getUseCipherSuitesOrder();
2120
2121 List<SNIServerName> sniNames = params.getServerNames();
2122 if (sniNames != null) {
2123 serverNames = sniNames;
2124 }
2125
2126 Collection<SNIMatcher> matchers = params.getSNIMatchers();
2127 if (matchers != null) {
2128 sniMatchers = matchers;
2129 }
2130
2131 if ((handshaker != null) && !handshaker.started()) {
2132 handshaker.setIdentificationProtocol(identificationProtocol);
2133 handshaker.setAlgorithmConstraints(algorithmConstraints);
2134 if (roleIsServer) {
2135 handshaker.setSNIMatchers(sniMatchers);
2136 handshaker.setUseCipherSuitesOrder(preferLocalCipherSuites);
2137 } else {
2138 handshaker.setSNIServerNames(serverNames);
2139 }
2140 }
2141 }
2142
2143 /**
2144 * Returns a boolean indicating whether the ChangeCipherSpec message
2145 * has been received for this handshake.
2146 */
2147 boolean receivedChangeCipherSpec() {
2148 return receivedCCS;
2149 }
2150
2151 /**
2152 * Returns a printable representation of this end of the connection.
2153 */
2154 @Override
2155 public String toString() {
2156 StringBuilder retval = new StringBuilder(80);
2157
2158 retval.append(Integer.toHexString(hashCode()));
2159 retval.append("[");
2160 retval.append("SSLEngine[hostname=");
2161 String host = getPeerHost();
2162 retval.append((host == null) ? "null" : host);
2163 retval.append(" port=");
2164 retval.append(Integer.toString(getPeerPort()));
2165 retval.append("] ");
2166 retval.append(getSession().getCipherSuite());
2167 retval.append("]");
2168
2169 return retval.toString();
2170 }
2171 }