1 /* 2 * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.ssl; 27 28 import java.io.*; 29 import java.nio.*; 30 import java.util.*; 31 import java.security.*; 32 33 import javax.crypto.BadPaddingException; 34 35 import javax.net.ssl.*; 36 import javax.net.ssl.SSLEngineResult.*; 37 38 /** 39 * Implementation of an non-blocking SSLEngine. 40 * 41 * *Currently*, the SSLEngine code exists in parallel with the current 42 * SSLSocket. As such, the current implementation is using legacy code 43 * with many of the same abstractions. However, it varies in many 44 * areas, most dramatically in the IO handling. 45 * 46 * There are three main I/O threads that can be existing in parallel: 47 * wrap(), unwrap(), and beginHandshake(). We are encouraging users to 48 * not call multiple instances of wrap or unwrap, because the data could 49 * appear to flow out of the SSLEngine in a non-sequential order. We 50 * take all steps we can to at least make sure the ordering remains 51 * consistent, but once the calls returns, anything can happen. For 52 * example, thread1 and thread2 both call wrap, thread1 gets the first 53 * packet, thread2 gets the second packet, but thread2 gets control back 54 * before thread1, and sends the data. The receiving side would see an 55 * out-of-order error. 56 * 57 * Handshaking is still done the same way as SSLSocket using the normal 58 * InputStream/OutputStream abstactions. We create 59 * ClientHandshakers/ServerHandshakers, which produce/consume the 60 * handshaking data. The transfer of the data is largely handled by the 61 * HandshakeInStream/HandshakeOutStreams. Lastly, the 62 * InputRecord/OutputRecords still have the same functionality, except 63 * that they are overridden with EngineInputRecord/EngineOutputRecord, 64 * which provide SSLEngine-specific functionality. 65 * 66 * Some of the major differences are: 67 * 68 * EngineInputRecord/EngineOutputRecord/EngineWriter: 69 * 70 * In order to avoid writing whole new control flows for 71 * handshaking, and to reuse most of the same code, we kept most 72 * of the actual handshake code the same. As usual, reading 73 * handshake data may trigger output of more handshake data, so 74 * what we do is write this data to internal buffers, and wait for 75 * wrap() to be called to give that data a ride. 76 * 77 * All data is routed through 78 * EngineInputRecord/EngineOutputRecord. However, all handshake 79 * data (ct_alert/ct_change_cipher_spec/ct_handshake) are passed 80 * through to the underlying InputRecord/OutputRecord, and 81 * the data uses the internal buffers. 82 * 83 * Application data is handled slightly different, we copy the data 84 * directly from the src to the dst buffers, and do all operations 85 * on those buffers, saving the overhead of multiple copies. 86 * 87 * In the case of an inbound record, unwrap passes the inbound 88 * ByteBuffer to the InputRecord. If the data is handshake data, 89 * the data is read into the InputRecord's internal buffer. If 90 * the data is application data, the data is decoded directly into 91 * the dst buffer. 92 * 93 * In the case of an outbound record, when the write to the 94 * "real" OutputStream's would normally take place, instead we 95 * call back up to the EngineOutputRecord's version of 96 * writeBuffer, at which time we capture the resulting output in a 97 * ByteBuffer, and send that back to the EngineWriter for internal 98 * storage. 99 * 100 * EngineWriter is responsible for "handling" all outbound 101 * data, be it handshake or app data, and for returning the data 102 * to wrap() in the proper order. 103 * 104 * ClientHandshaker/ServerHandshaker/Handshaker: 105 * Methods which relied on SSLSocket now have work on either 106 * SSLSockets or SSLEngines. 107 * 108 * @author Brad Wetmore 109 */ 110 final public class SSLEngineImpl extends SSLEngine { 111 112 // 113 // Fields and global comments 114 // 115 116 /* 117 * There's a state machine associated with each connection, which 118 * among other roles serves to negotiate session changes. 119 * 120 * - START with constructor, until the TCP connection's around. 121 * - HANDSHAKE picks session parameters before allowing traffic. 122 * There are many substates due to sequencing requirements 123 * for handshake messages. 124 * - DATA may be transmitted. 125 * - RENEGOTIATE state allows concurrent data and handshaking 126 * traffic ("same" substates as HANDSHAKE), and terminates 127 * in selection of new session (and connection) parameters 128 * - ERROR state immediately precedes abortive disconnect. 129 * - CLOSED when one side closes down, used to start the shutdown 130 * process. SSL connection objects are not reused. 131 * 132 * State affects what SSL record types may legally be sent: 133 * 134 * - Handshake ... only in HANDSHAKE and RENEGOTIATE states 135 * - App Data ... only in DATA and RENEGOTIATE states 136 * - Alert ... in HANDSHAKE, DATA, RENEGOTIATE 137 * 138 * Re what may be received: same as what may be sent, except that 139 * HandshakeRequest handshaking messages can come from servers even 140 * in the application data state, to request entry to RENEGOTIATE. 141 * 142 * The state machine within HANDSHAKE and RENEGOTIATE states controls 143 * the pending session, not the connection state, until the change 144 * cipher spec and "Finished" handshake messages are processed and 145 * make the "new" session become the current one. 146 * 147 * NOTE: details of the SMs always need to be nailed down better. 148 * The text above illustrates the core ideas. 149 * 150 * +---->-------+------>--------->-------+ 151 * | | | 152 * <-----< ^ ^ <-----< | 153 *START>----->HANDSHAKE>----->DATA>----->RENEGOTIATE | 154 * v v v | 155 * | | | | 156 * +------------+---------------+ | 157 * | | 158 * v | 159 * ERROR>------>----->CLOSED<--------<----+ 160 * 161 * ALSO, note that the purpose of handshaking (renegotiation is 162 * included) is to assign a different, and perhaps new, session to 163 * the connection. The SSLv3 spec is a bit confusing on that new 164 * protocol feature. 165 */ 166 private int connectionState; 167 168 private static final int cs_START = 0; 169 private static final int cs_HANDSHAKE = 1; 170 private static final int cs_DATA = 2; 171 private static final int cs_RENEGOTIATE = 3; 172 private static final int cs_ERROR = 4; 173 private static final int cs_CLOSED = 6; 174 175 /* 176 * Once we're in state cs_CLOSED, we can continue to 177 * wrap/unwrap until we finish sending/receiving the messages 178 * for close_notify. EngineWriter handles outboundDone. 179 */ 180 private boolean inboundDone = false; 181 182 EngineWriter writer; 183 184 /* 185 * The authentication context holds all information used to establish 186 * who this end of the connection is (certificate chains, private keys, 187 * etc) and who is trusted (e.g. as CAs or websites). 188 */ 189 private SSLContextImpl sslContext; 190 191 /* 192 * This connection is one of (potentially) many associated with 193 * any given session. The output of the handshake protocol is a 194 * new session ... although all the protocol description talks 195 * about changing the cipher spec (and it does change), in fact 196 * that's incidental since it's done by changing everything that 197 * is associated with a session at the same time. (TLS/IETF may 198 * change that to add client authentication w/o new key exchg.) 199 */ 200 private Handshaker handshaker; 201 private SSLSessionImpl sess; 202 private volatile SSLSessionImpl handshakeSession; 203 204 205 /* 206 * Client authentication be off, requested, or required. 207 * 208 * This will be used by both this class and SSLSocket's variants. 209 */ 210 static final byte clauth_none = 0; 211 static final byte clauth_requested = 1; 212 static final byte clauth_required = 2; 213 214 /* 215 * Flag indicating that the engine has received a ChangeCipherSpec message. 216 */ 217 private boolean receivedCCS; 218 219 /* 220 * Flag indicating if the next record we receive MUST be a Finished 221 * message. Temporarily set during the handshake to ensure that 222 * a change cipher spec message is followed by a finished message. 223 */ 224 private boolean expectingFinished; 225 226 227 /* 228 * If someone tries to closeInbound() (say at End-Of-Stream) 229 * our engine having received a close_notify, we need to 230 * notify the app that we may have a truncation attack underway. 231 */ 232 private boolean recvCN; 233 234 /* 235 * For improved diagnostics, we detail connection closure 236 * If the engine is closed (connectionState >= cs_ERROR), 237 * closeReason != null indicates if the engine was closed 238 * because of an error or because or normal shutdown. 239 */ 240 private SSLException closeReason; 241 242 /* 243 * Per-connection private state that doesn't change when the 244 * session is changed. 245 */ 246 private byte doClientAuth; 247 private boolean enableSessionCreation = true; 248 EngineInputRecord inputRecord; 249 EngineOutputRecord outputRecord; 250 private AccessControlContext acc; 251 252 // The cipher suites enabled for use on this connection. 253 private CipherSuiteList enabledCipherSuites; 254 255 // the endpoint identification protocol 256 private String identificationProtocol = null; 257 258 // The cryptographic algorithm constraints 259 private AlgorithmConstraints algorithmConstraints = null; 260 261 // The server name indication and matchers 262 List<SNIServerName> serverNames = 263 Collections.<SNIServerName>emptyList(); 264 Collection<SNIMatcher> sniMatchers = 265 Collections.<SNIMatcher>emptyList(); 266 267 // Have we been told whether we're client or server? 268 private boolean serverModeSet = false; 269 private boolean roleIsServer; 270 271 /* 272 * The protocol versions enabled for use on this connection. 273 * 274 * Note: we support a pseudo protocol called SSLv2Hello which when 275 * set will result in an SSL v2 Hello being sent with SSL (version 3.0) 276 * or TLS (version 3.1, 3.2, etc.) version info. 277 */ 278 private ProtocolList enabledProtocols; 279 280 /* 281 * The SSL version associated with this connection. 282 */ 283 private ProtocolVersion protocolVersion = ProtocolVersion.DEFAULT; 284 285 /* 286 * Crypto state that's reinitialized when the session changes. 287 */ 288 private Authenticator readAuthenticator, writeAuthenticator; 289 private CipherBox readCipher, writeCipher; 290 // NOTE: compression state would be saved here 291 292 /* 293 * security parameters for secure renegotiation. 294 */ 295 private boolean secureRenegotiation; 296 private byte[] clientVerifyData; 297 private byte[] serverVerifyData; 298 299 /* 300 * READ ME * READ ME * READ ME * READ ME * READ ME * READ ME * 301 * IMPORTANT STUFF TO UNDERSTANDING THE SYNCHRONIZATION ISSUES. 302 * READ ME * READ ME * READ ME * READ ME * READ ME * READ ME * 303 * 304 * There are several locks here. 305 * 306 * The primary lock is the per-instance lock used by 307 * synchronized(this) and the synchronized methods. It controls all 308 * access to things such as the connection state and variables which 309 * affect handshaking. If we are inside a synchronized method, we 310 * can access the state directly, otherwise, we must use the 311 * synchronized equivalents. 312 * 313 * Note that we must never acquire the <code>this</code> lock after 314 * <code>writeLock</code> or run the risk of deadlock. 315 * 316 * Grab some coffee, and be careful with any code changes. 317 */ 318 private Object wrapLock; 319 private Object unwrapLock; 320 Object writeLock; 321 322 /* 323 * Is it the first application record to write? 324 */ 325 private boolean isFirstAppOutputRecord = true; 326 327 /* 328 * Whether local cipher suites preference in server side should be 329 * honored during handshaking? 330 */ 331 private boolean preferLocalCipherSuites = false; 332 333 /* 334 * Class and subclass dynamic debugging support 335 */ 336 private static final Debug debug = Debug.getInstance("ssl"); 337 338 // 339 // Initialization/Constructors 340 // 341 342 /** 343 * Constructor for an SSLEngine from SSLContext, without 344 * host/port hints. This Engine will not be able to cache 345 * sessions, but must renegotiate everything by hand. 346 */ 347 SSLEngineImpl(SSLContextImpl ctx) { 348 super(); 349 init(ctx); 350 } 351 352 /** 353 * Constructor for an SSLEngine from SSLContext. 354 */ 355 SSLEngineImpl(SSLContextImpl ctx, String host, int port) { 356 super(host, port); 357 init(ctx); 358 } 359 360 /** 361 * Initializes the Engine 362 */ 363 private void init(SSLContextImpl ctx) { 364 if (debug != null && Debug.isOn("ssl")) { 365 System.out.println("Using SSLEngineImpl."); 366 } 367 368 sslContext = ctx; 369 sess = SSLSessionImpl.nullSession; 370 handshakeSession = null; 371 372 /* 373 * State is cs_START until we initialize the handshaker. 374 * 375 * Apps using SSLEngine are probably going to be server. 376 * Somewhat arbitrary choice. 377 */ 378 roleIsServer = true; 379 connectionState = cs_START; 380 receivedCCS = false; 381 382 // default server name indication 383 serverNames = 384 Utilities.addToSNIServerNameList(serverNames, getPeerHost()); 385 386 /* 387 * default read and write side cipher and MAC support 388 * 389 * Note: compression support would go here too 390 */ 391 readCipher = CipherBox.NULL; 392 readAuthenticator = MAC.NULL; 393 writeCipher = CipherBox.NULL; 394 writeAuthenticator = MAC.NULL; 395 396 // default security parameters for secure renegotiation 397 secureRenegotiation = false; 398 clientVerifyData = new byte[0]; 399 serverVerifyData = new byte[0]; 400 401 enabledCipherSuites = 402 sslContext.getDefaultCipherSuiteList(roleIsServer); 403 enabledProtocols = 404 sslContext.getDefaultProtocolList(roleIsServer); 405 406 wrapLock = new Object(); 407 unwrapLock = new Object(); 408 writeLock = new Object(); 409 410 /* 411 * Save the Access Control Context. This will be used later 412 * for a couple of things, including providing a context to 413 * run tasks in, and for determining which credentials 414 * to use for Subject based (JAAS) decisions 415 */ 416 acc = AccessController.getContext(); 417 418 /* 419 * All outbound application data goes through this OutputRecord, 420 * other data goes through their respective records created 421 * elsewhere. All inbound data goes through this one 422 * input record. 423 */ 424 outputRecord = 425 new EngineOutputRecord(Record.ct_application_data, this); 426 inputRecord = new EngineInputRecord(this); 427 inputRecord.enableFormatChecks(); 428 429 writer = new EngineWriter(); 430 } 431 432 /** 433 * Initialize the handshaker object. This means: 434 * 435 * . if a handshake is already in progress (state is cs_HANDSHAKE 436 * or cs_RENEGOTIATE), do nothing and return 437 * 438 * . if the engine is already closed, throw an Exception (internal error) 439 * 440 * . otherwise (cs_START or cs_DATA), create the appropriate handshaker 441 * object and advance the connection state (to cs_HANDSHAKE or 442 * cs_RENEGOTIATE, respectively). 443 * 444 * This method is called right after a new engine is created, when 445 * starting renegotiation, or when changing client/server mode of the 446 * engine. 447 */ 448 private void initHandshaker() { 449 switch (connectionState) { 450 451 // 452 // Starting a new handshake. 453 // 454 case cs_START: 455 case cs_DATA: 456 break; 457 458 // 459 // We're already in the middle of a handshake. 460 // 461 case cs_HANDSHAKE: 462 case cs_RENEGOTIATE: 463 return; 464 465 // 466 // Anyone allowed to call this routine is required to 467 // do so ONLY if the connection state is reasonable... 468 // 469 default: 470 throw new IllegalStateException("Internal error"); 471 } 472 473 // state is either cs_START or cs_DATA 474 if (connectionState == cs_START) { 475 connectionState = cs_HANDSHAKE; 476 } else { // cs_DATA 477 connectionState = cs_RENEGOTIATE; 478 } 479 if (roleIsServer) { 480 handshaker = new ServerHandshaker(this, sslContext, 481 enabledProtocols, doClientAuth, 482 protocolVersion, connectionState == cs_HANDSHAKE, 483 secureRenegotiation, clientVerifyData, serverVerifyData); 484 handshaker.setSNIMatchers(sniMatchers); 485 handshaker.setUseCipherSuitesOrder(preferLocalCipherSuites); 486 } else { 487 handshaker = new ClientHandshaker(this, sslContext, 488 enabledProtocols, 489 protocolVersion, connectionState == cs_HANDSHAKE, 490 secureRenegotiation, clientVerifyData, serverVerifyData); 491 handshaker.setSNIServerNames(serverNames); 492 } 493 handshaker.setEnabledCipherSuites(enabledCipherSuites); 494 handshaker.setEnableSessionCreation(enableSessionCreation); 495 } 496 497 /* 498 * Report the current status of the Handshaker 499 */ 500 private HandshakeStatus getHSStatus(HandshakeStatus hss) { 501 502 if (hss != null) { 503 return hss; 504 } 505 506 synchronized (this) { 507 if (writer.hasOutboundData()) { 508 return HandshakeStatus.NEED_WRAP; 509 } else if (handshaker != null) { 510 if (handshaker.taskOutstanding()) { 511 return HandshakeStatus.NEED_TASK; 512 } else { 513 return HandshakeStatus.NEED_UNWRAP; 514 } 515 } else if (connectionState == cs_CLOSED) { 516 /* 517 * Special case where we're closing, but 518 * still need the close_notify before we 519 * can officially be closed. 520 * 521 * Note isOutboundDone is taken care of by 522 * hasOutboundData() above. 523 */ 524 if (!isInboundDone()) { 525 return HandshakeStatus.NEED_UNWRAP; 526 } // else not handshaking 527 } 528 529 return HandshakeStatus.NOT_HANDSHAKING; 530 } 531 } 532 533 synchronized private void checkTaskThrown() throws SSLException { 534 if (handshaker != null) { 535 handshaker.checkThrown(); 536 } 537 } 538 539 // 540 // Handshaking and connection state code 541 // 542 543 /* 544 * Provides "this" synchronization for connection state. 545 * Otherwise, you can access it directly. 546 */ 547 synchronized private int getConnectionState() { 548 return connectionState; 549 } 550 551 synchronized private void setConnectionState(int state) { 552 connectionState = state; 553 } 554 555 /* 556 * Get the Access Control Context. 557 * 558 * Used for a known context to 559 * run tasks in, and for determining which credentials 560 * to use for Subject-based (JAAS) decisions. 561 */ 562 AccessControlContext getAcc() { 563 return acc; 564 } 565 566 /* 567 * Is a handshake currently underway? 568 */ 569 @Override 570 public SSLEngineResult.HandshakeStatus getHandshakeStatus() { 571 return getHSStatus(null); 572 } 573 574 /* 575 * When a connection finishes handshaking by enabling use of a newly 576 * negotiated session, each end learns about it in two halves (read, 577 * and write). When both read and write ciphers have changed, and the 578 * last handshake message has been read, the connection has joined 579 * (rejoined) the new session. 580 * 581 * NOTE: The SSLv3 spec is rather unclear on the concepts here. 582 * Sessions don't change once they're established (including cipher 583 * suite and master secret) but connections can join them (and leave 584 * them). They're created by handshaking, though sometime handshaking 585 * causes connections to join up with pre-established sessions. 586 * 587 * Synchronized on "this" from readRecord. 588 */ 589 private void changeReadCiphers() throws SSLException { 590 if (connectionState != cs_HANDSHAKE 591 && connectionState != cs_RENEGOTIATE) { 592 throw new SSLProtocolException( 593 "State error, change cipher specs"); 594 } 595 596 // ... create decompressor 597 598 CipherBox oldCipher = readCipher; 599 600 try { 601 readCipher = handshaker.newReadCipher(); 602 readAuthenticator = handshaker.newReadAuthenticator(); 603 } catch (GeneralSecurityException e) { 604 // "can't happen" 605 throw new SSLException("Algorithm missing: ", e); 606 } 607 608 /* 609 * Dispose of any intermediate state in the underlying cipher. 610 * For PKCS11 ciphers, this will release any attached sessions, 611 * and thus make finalization faster. 612 * 613 * Since MAC's doFinal() is called for every SSL/TLS packet, it's 614 * not necessary to do the same with MAC's. 615 */ 616 oldCipher.dispose(); 617 } 618 619 /* 620 * used by Handshaker to change the active write cipher, follows 621 * the output of the CCS message. 622 * 623 * Also synchronized on "this" from readRecord/delegatedTask. 624 */ 625 void changeWriteCiphers() throws SSLException { 626 if (connectionState != cs_HANDSHAKE 627 && connectionState != cs_RENEGOTIATE) { 628 throw new SSLProtocolException( 629 "State error, change cipher specs"); 630 } 631 632 // ... create compressor 633 634 CipherBox oldCipher = writeCipher; 635 636 try { 637 writeCipher = handshaker.newWriteCipher(); 638 writeAuthenticator = handshaker.newWriteAuthenticator(); 639 } catch (GeneralSecurityException e) { 640 // "can't happen" 641 throw new SSLException("Algorithm missing: ", e); 642 } 643 644 // See comment above. 645 oldCipher.dispose(); 646 647 // reset the flag of the first application record 648 isFirstAppOutputRecord = true; 649 } 650 651 /* 652 * Updates the SSL version associated with this connection. 653 * Called from Handshaker once it has determined the negotiated version. 654 */ 655 synchronized void setVersion(ProtocolVersion protocolVersion) { 656 this.protocolVersion = protocolVersion; 657 outputRecord.setVersion(protocolVersion); 658 } 659 660 661 /** 662 * Kickstart the handshake if it is not already in progress. 663 * This means: 664 * 665 * . if handshaking is already underway, do nothing and return 666 * 667 * . if the engine is not connected or already closed, throw an 668 * Exception. 669 * 670 * . otherwise, call initHandshake() to initialize the handshaker 671 * object and progress the state. Then, send the initial 672 * handshaking message if appropriate (always on clients and 673 * on servers when renegotiating). 674 */ 675 private synchronized void kickstartHandshake() throws IOException { 676 switch (connectionState) { 677 678 case cs_START: 679 if (!serverModeSet) { 680 throw new IllegalStateException( 681 "Client/Server mode not yet set."); 682 } 683 initHandshaker(); 684 break; 685 686 case cs_HANDSHAKE: 687 // handshaker already setup, proceed 688 break; 689 690 case cs_DATA: 691 if (!secureRenegotiation && !Handshaker.allowUnsafeRenegotiation) { 692 throw new SSLHandshakeException( 693 "Insecure renegotiation is not allowed"); 694 } 695 696 if (!secureRenegotiation) { 697 if (debug != null && Debug.isOn("handshake")) { 698 System.out.println( 699 "Warning: Using insecure renegotiation"); 700 } 701 } 702 703 // initialize the handshaker, move to cs_RENEGOTIATE 704 initHandshaker(); 705 break; 706 707 case cs_RENEGOTIATE: 708 // handshaking already in progress, return 709 return; 710 711 default: 712 // cs_ERROR/cs_CLOSED 713 throw new SSLException("SSLEngine is closing/closed"); 714 } 715 716 // 717 // Kickstart handshake state machine if we need to ... 718 // 719 // Note that handshaker.kickstart() writes the message 720 // to its HandshakeOutStream, which calls back into 721 // SSLSocketImpl.writeRecord() to send it. 722 // 723 if (!handshaker.activated()) { 724 // prior to handshaking, activate the handshake 725 if (connectionState == cs_RENEGOTIATE) { 726 // don't use SSLv2Hello when renegotiating 727 handshaker.activate(protocolVersion); 728 } else { 729 handshaker.activate(null); 730 } 731 732 if (handshaker instanceof ClientHandshaker) { 733 // send client hello 734 handshaker.kickstart(); 735 } else { // instanceof ServerHandshaker 736 if (connectionState == cs_HANDSHAKE) { 737 // initial handshake, no kickstart message to send 738 } else { 739 // we want to renegotiate, send hello request 740 handshaker.kickstart(); 741 742 // hello request is not included in the handshake 743 // hashes, reset them 744 handshaker.handshakeHash.reset(); 745 } 746 } 747 } 748 } 749 750 /* 751 * Start a SSLEngine handshake 752 */ 753 @Override 754 public void beginHandshake() throws SSLException { 755 try { 756 kickstartHandshake(); 757 } catch (Exception e) { 758 fatal(Alerts.alert_handshake_failure, 759 "Couldn't kickstart handshaking", e); 760 } 761 } 762 763 764 // 765 // Read/unwrap side 766 // 767 768 769 /** 770 * Unwraps a buffer. Does a variety of checks before grabbing 771 * the unwrapLock, which blocks multiple unwraps from occurring. 772 */ 773 @Override 774 public SSLEngineResult unwrap(ByteBuffer netData, ByteBuffer [] appData, 775 int offset, int length) throws SSLException { 776 777 EngineArgs ea = new EngineArgs(netData, appData, offset, length); 778 779 try { 780 synchronized (unwrapLock) { 781 return readNetRecord(ea); 782 } 783 } catch (Exception e) { 784 /* 785 * Don't reset position so it looks like we didn't 786 * consume anything. We did consume something, and it 787 * got us into this situation, so report that much back. 788 * Our days of consuming are now over anyway. 789 */ 790 fatal(Alerts.alert_internal_error, 791 "problem unwrapping net record", e); 792 return null; // make compiler happy 793 } finally { 794 /* 795 * Just in case something failed to reset limits properly. 796 */ 797 ea.resetLim(); 798 } 799 } 800 801 /* 802 * Makes additional checks for unwrap, but this time more 803 * specific to this packet and the current state of the machine. 804 */ 805 private SSLEngineResult readNetRecord(EngineArgs ea) throws IOException { 806 807 Status status = null; 808 HandshakeStatus hsStatus = null; 809 810 /* 811 * See if the handshaker needs to report back some SSLException. 812 */ 813 checkTaskThrown(); 814 815 /* 816 * Check if we are closing/closed. 817 */ 818 if (isInboundDone()) { 819 return new SSLEngineResult(Status.CLOSED, getHSStatus(null), 0, 0); 820 } 821 822 /* 823 * If we're still in cs_HANDSHAKE, make sure it's been 824 * started. 825 */ 826 synchronized (this) { 827 if ((connectionState == cs_HANDSHAKE) || 828 (connectionState == cs_START)) { 829 kickstartHandshake(); 830 831 /* 832 * If there's still outbound data to flush, we 833 * can return without trying to unwrap anything. 834 */ 835 hsStatus = getHSStatus(null); 836 837 if (hsStatus == HandshakeStatus.NEED_WRAP) { 838 return new SSLEngineResult(Status.OK, hsStatus, 0, 0); 839 } 840 } 841 } 842 843 /* 844 * Grab a copy of this if it doesn't already exist, 845 * and we can use it several places before anything major 846 * happens on this side. Races aren't critical 847 * here. 848 */ 849 if (hsStatus == null) { 850 hsStatus = getHSStatus(null); 851 } 852 853 /* 854 * If we have a task outstanding, this *MUST* be done before 855 * doing any more unwrapping, because we could be in the middle 856 * of receiving a handshake message, for example, a finished 857 * message which would change the ciphers. 858 */ 859 if (hsStatus == HandshakeStatus.NEED_TASK) { 860 return new SSLEngineResult( 861 Status.OK, hsStatus, 0, 0); 862 } 863 864 /* 865 * Check the packet to make sure enough is here. 866 * This will also indirectly check for 0 len packets. 867 */ 868 int packetLen = inputRecord.bytesInCompletePacket(ea.netData); 869 870 // Is this packet bigger than SSL/TLS normally allows? 871 if (packetLen > sess.getPacketBufferSize()) { 872 if (packetLen > Record.maxLargeRecordSize) { 873 throw new SSLProtocolException( 874 "Input SSL/TLS record too big: max = " + 875 Record.maxLargeRecordSize + 876 " len = " + packetLen); 877 } else { 878 // Expand the expected maximum packet/application buffer 879 // sizes. 880 sess.expandBufferSizes(); 881 } 882 } 883 884 /* 885 * Check for OVERFLOW. 886 * 887 * To be considered: We could delay enforcing the application buffer 888 * free space requirement until after the initial handshaking. 889 */ 890 if ((packetLen - Record.headerSize) > ea.getAppRemaining()) { 891 return new SSLEngineResult(Status.BUFFER_OVERFLOW, hsStatus, 0, 0); 892 } 893 894 // check for UNDERFLOW. 895 if ((packetLen == -1) || (ea.netData.remaining() < packetLen)) { 896 return new SSLEngineResult( 897 Status.BUFFER_UNDERFLOW, hsStatus, 0, 0); 898 } 899 900 /* 901 * We're now ready to actually do the read. 902 * The only result code we really need to be exactly 903 * right is the HS finished, for signaling to 904 * HandshakeCompletedListeners. 905 */ 906 try { 907 hsStatus = readRecord(ea); 908 } catch (SSLException e) { 909 throw e; 910 } catch (IOException e) { 911 throw new SSLException("readRecord", e); 912 } 913 914 /* 915 * Check the various condition that we could be reporting. 916 * 917 * It's *possible* something might have happened between the 918 * above and now, but it was better to minimally lock "this" 919 * during the read process. We'll return the current 920 * status, which is more representative of the current state. 921 * 922 * status above should cover: FINISHED, NEED_TASK 923 */ 924 status = (isInboundDone() ? Status.CLOSED : Status.OK); 925 hsStatus = getHSStatus(hsStatus); 926 927 return new SSLEngineResult(status, hsStatus, 928 ea.deltaNet(), ea.deltaApp()); 929 } 930 931 /* 932 * Actually do the read record processing. 933 * 934 * Returns a Status if it can make specific determinations 935 * of the engine state. In particular, we need to signal 936 * that a handshake just completed. 937 * 938 * It would be nice to be symmetrical with the write side and move 939 * the majority of this to EngineInputRecord, but there's too much 940 * SSLEngine state to do that cleanly. It must still live here. 941 */ 942 private HandshakeStatus readRecord(EngineArgs ea) throws IOException { 943 944 HandshakeStatus hsStatus = null; 945 946 /* 947 * The various operations will return new sliced BB's, 948 * this will avoid having to worry about positions and 949 * limits in the netBB. 950 */ 951 ByteBuffer readBB = null; 952 ByteBuffer decryptedBB = null; 953 954 if (getConnectionState() != cs_ERROR) { 955 956 /* 957 * Read a record ... maybe emitting an alert if we get a 958 * comprehensible but unsupported "hello" message during 959 * format checking (e.g. V2). 960 */ 961 try { 962 readBB = inputRecord.read(ea.netData); 963 } catch (IOException e) { 964 fatal(Alerts.alert_unexpected_message, e); 965 } 966 967 /* 968 * The basic SSLv3 record protection involves (optional) 969 * encryption for privacy, and an integrity check ensuring 970 * data origin authentication. We do them both here, and 971 * throw a fatal alert if the integrity check fails. 972 */ 973 try { 974 decryptedBB = inputRecord.decrypt( 975 readAuthenticator, readCipher, readBB); 976 } catch (BadPaddingException e) { 977 byte alertType = (inputRecord.contentType() == 978 Record.ct_handshake) ? 979 Alerts.alert_handshake_failure : 980 Alerts.alert_bad_record_mac; 981 fatal(alertType, e.getMessage(), e); 982 } 983 984 // if (!inputRecord.decompress(c)) 985 // fatal(Alerts.alert_decompression_failure, 986 // "decompression failure"); 987 988 989 /* 990 * Process the record. 991 */ 992 993 synchronized (this) { 994 switch (inputRecord.contentType()) { 995 case Record.ct_handshake: 996 /* 997 * Handshake messages always go to a pending session 998 * handshaker ... if there isn't one, create one. This 999 * must work asynchronously, for renegotiation. 1000 * 1001 * NOTE that handshaking will either resume a session 1002 * which was in the cache (and which might have other 1003 * connections in it already), or else will start a new 1004 * session (new keys exchanged) with just this connection 1005 * in it. 1006 */ 1007 initHandshaker(); 1008 if (!handshaker.activated()) { 1009 // prior to handshaking, activate the handshake 1010 if (connectionState == cs_RENEGOTIATE) { 1011 // don't use SSLv2Hello when renegotiating 1012 handshaker.activate(protocolVersion); 1013 } else { 1014 handshaker.activate(null); 1015 } 1016 } 1017 1018 /* 1019 * process the handshake record ... may contain just 1020 * a partial handshake message or multiple messages. 1021 * 1022 * The handshaker state machine will ensure that it's 1023 * a finished message. 1024 */ 1025 handshaker.process_record(inputRecord, expectingFinished); 1026 expectingFinished = false; 1027 1028 if (handshaker.invalidated) { 1029 handshaker = null; 1030 receivedCCS = false; 1031 // if state is cs_RENEGOTIATE, revert it to cs_DATA 1032 if (connectionState == cs_RENEGOTIATE) { 1033 connectionState = cs_DATA; 1034 } 1035 } else if (handshaker.isDone()) { 1036 // reset the parameters for secure renegotiation. 1037 secureRenegotiation = 1038 handshaker.isSecureRenegotiation(); 1039 clientVerifyData = handshaker.getClientVerifyData(); 1040 serverVerifyData = handshaker.getServerVerifyData(); 1041 1042 sess = handshaker.getSession(); 1043 handshakeSession = null; 1044 if (!writer.hasOutboundData()) { 1045 hsStatus = HandshakeStatus.FINISHED; 1046 } 1047 handshaker = null; 1048 connectionState = cs_DATA; 1049 receivedCCS = false; 1050 1051 // No handshakeListeners here. That's a 1052 // SSLSocket thing. 1053 } else if (handshaker.taskOutstanding()) { 1054 hsStatus = HandshakeStatus.NEED_TASK; 1055 } 1056 break; 1057 1058 case Record.ct_application_data: 1059 // Pass this right back up to the application. 1060 if ((connectionState != cs_DATA) 1061 && (connectionState != cs_RENEGOTIATE) 1062 && (connectionState != cs_CLOSED)) { 1063 throw new SSLProtocolException( 1064 "Data received in non-data state: " + 1065 connectionState); 1066 } 1067 1068 if (expectingFinished) { 1069 throw new SSLProtocolException 1070 ("Expecting finished message, received data"); 1071 } 1072 1073 /* 1074 * Don't return data once the inbound side is 1075 * closed. 1076 */ 1077 if (!inboundDone) { 1078 ea.scatter(decryptedBB.slice()); 1079 } 1080 break; 1081 1082 case Record.ct_alert: 1083 recvAlert(); 1084 break; 1085 1086 case Record.ct_change_cipher_spec: 1087 if ((connectionState != cs_HANDSHAKE 1088 && connectionState != cs_RENEGOTIATE) 1089 || !handshaker.sessionKeysCalculated() 1090 || receivedCCS) { 1091 // For the CCS message arriving in the wrong state 1092 fatal(Alerts.alert_unexpected_message, 1093 "illegal change cipher spec msg, conn state = " 1094 + connectionState + ", handshake state = " 1095 + handshaker.state); 1096 } else if (inputRecord.available() != 1 1097 || inputRecord.read() != 1) { 1098 // For structural/content issues with the CCS 1099 fatal(Alerts.alert_unexpected_message, 1100 "Malformed change cipher spec msg"); 1101 } 1102 1103 // Once we've received CCS, update the flag. 1104 // If the remote endpoint sends it again in this handshake 1105 // we won't process it. 1106 receivedCCS = true; 1107 1108 // 1109 // The first message after a change_cipher_spec 1110 // record MUST be a "Finished" handshake record, 1111 // else it's a protocol violation. We force this 1112 // to be checked by a minor tweak to the state 1113 // machine. 1114 // 1115 changeReadCiphers(); 1116 // next message MUST be a finished message 1117 expectingFinished = true; 1118 break; 1119 1120 default: 1121 // 1122 // TLS requires that unrecognized records be ignored. 1123 // 1124 if (debug != null && Debug.isOn("ssl")) { 1125 System.out.println(Thread.currentThread().getName() + 1126 ", Received record type: " 1127 + inputRecord.contentType()); 1128 } 1129 break; 1130 } // switch 1131 1132 /* 1133 * We only need to check the sequence number state for 1134 * non-handshaking record. 1135 * 1136 * Note that in order to maintain the handshake status 1137 * properly, we check the sequence number after the last 1138 * record reading process. As we request renegotiation 1139 * or close the connection for wrapped sequence number 1140 * when there is enough sequence number space left to 1141 * handle a few more records, so the sequence number 1142 * of the last record cannot be wrapped. 1143 */ 1144 hsStatus = getHSStatus(hsStatus); 1145 if (connectionState < cs_ERROR && !isInboundDone() && 1146 (hsStatus == HandshakeStatus.NOT_HANDSHAKING)) { 1147 if (checkSequenceNumber(readAuthenticator, 1148 inputRecord.contentType())) { 1149 hsStatus = getHSStatus(null); 1150 } 1151 } 1152 } // synchronized (this) 1153 } 1154 1155 return hsStatus; 1156 } 1157 1158 1159 // 1160 // write/wrap side 1161 // 1162 1163 1164 /** 1165 * Wraps a buffer. Does a variety of checks before grabbing 1166 * the wrapLock, which blocks multiple wraps from occurring. 1167 */ 1168 @Override 1169 public SSLEngineResult wrap(ByteBuffer [] appData, 1170 int offset, int length, ByteBuffer netData) throws SSLException { 1171 1172 EngineArgs ea = new EngineArgs(appData, offset, length, netData); 1173 1174 /* 1175 * We can be smarter about using smaller buffer sizes later. 1176 * For now, force it to be large enough to handle any 1177 * valid SSL/TLS record. 1178 */ 1179 if (netData.remaining() < EngineOutputRecord.maxRecordSize) { 1180 return new SSLEngineResult( 1181 Status.BUFFER_OVERFLOW, getHSStatus(null), 0, 0); 1182 } 1183 1184 try { 1185 synchronized (wrapLock) { 1186 return writeAppRecord(ea); 1187 } 1188 } catch (Exception e) { 1189 ea.resetPos(); 1190 1191 fatal(Alerts.alert_internal_error, 1192 "problem wrapping app data", e); 1193 return null; // make compiler happy 1194 } finally { 1195 /* 1196 * Just in case something didn't reset limits properly. 1197 */ 1198 ea.resetLim(); 1199 } 1200 } 1201 1202 /* 1203 * Makes additional checks for unwrap, but this time more 1204 * specific to this packet and the current state of the machine. 1205 */ 1206 private SSLEngineResult writeAppRecord(EngineArgs ea) throws IOException { 1207 1208 Status status = null; 1209 HandshakeStatus hsStatus = null; 1210 1211 /* 1212 * See if the handshaker needs to report back some SSLException. 1213 */ 1214 checkTaskThrown(); 1215 1216 /* 1217 * short circuit if we're closed/closing. 1218 */ 1219 if (writer.isOutboundDone()) { 1220 return new SSLEngineResult(Status.CLOSED, getHSStatus(null), 0, 0); 1221 } 1222 1223 /* 1224 * If we're still in cs_HANDSHAKE, make sure it's been 1225 * started. 1226 */ 1227 synchronized (this) { 1228 if ((connectionState == cs_HANDSHAKE) || 1229 (connectionState == cs_START)) { 1230 kickstartHandshake(); 1231 1232 /* 1233 * If there's no HS data available to write, we can return 1234 * without trying to wrap anything. 1235 */ 1236 hsStatus = getHSStatus(null); 1237 1238 if (hsStatus == HandshakeStatus.NEED_UNWRAP) { 1239 return new SSLEngineResult(Status.OK, hsStatus, 0, 0); 1240 } 1241 } 1242 } 1243 1244 /* 1245 * Grab a copy of this if it doesn't already exist, 1246 * and we can use it several places before anything major 1247 * happens on this side. Races aren't critical 1248 * here. 1249 */ 1250 if (hsStatus == null) { 1251 hsStatus = getHSStatus(null); 1252 } 1253 1254 /* 1255 * If we have a task outstanding, this *MUST* be done before 1256 * doing any more wrapping, because we could be in the middle 1257 * of receiving a handshake message, for example, a finished 1258 * message which would change the ciphers. 1259 */ 1260 if (hsStatus == HandshakeStatus.NEED_TASK) { 1261 return new SSLEngineResult( 1262 Status.OK, hsStatus, 0, 0); 1263 } 1264 1265 /* 1266 * This will obtain any waiting outbound data, or will 1267 * process the outbound appData. 1268 */ 1269 try { 1270 synchronized (writeLock) { 1271 hsStatus = writeRecord(outputRecord, ea); 1272 } 1273 } catch (SSLException e) { 1274 throw e; 1275 } catch (IOException e) { 1276 throw new SSLException("Write problems", e); 1277 } 1278 1279 /* 1280 * writeRecord might have reported some status. 1281 * Now check for the remaining cases. 1282 * 1283 * status above should cover: NEED_WRAP/FINISHED 1284 */ 1285 status = (isOutboundDone() ? Status.CLOSED : Status.OK); 1286 hsStatus = getHSStatus(hsStatus); 1287 1288 return new SSLEngineResult(status, hsStatus, 1289 ea.deltaApp(), ea.deltaNet()); 1290 } 1291 1292 /* 1293 * Central point to write/get all of the outgoing data. 1294 */ 1295 private HandshakeStatus writeRecord(EngineOutputRecord eor, 1296 EngineArgs ea) throws IOException { 1297 1298 // eventually compress as well. 1299 HandshakeStatus hsStatus = 1300 writer.writeRecord(eor, ea, writeAuthenticator, writeCipher); 1301 1302 /* 1303 * We only need to check the sequence number state for 1304 * non-handshaking record. 1305 * 1306 * Note that in order to maintain the handshake status 1307 * properly, we check the sequence number after the last 1308 * record writing process. As we request renegotiation 1309 * or close the connection for wrapped sequence number 1310 * when there is enough sequence number space left to 1311 * handle a few more records, so the sequence number 1312 * of the last record cannot be wrapped. 1313 */ 1314 hsStatus = getHSStatus(hsStatus); 1315 if (connectionState < cs_ERROR && !isOutboundDone() && 1316 (hsStatus == HandshakeStatus.NOT_HANDSHAKING)) { 1317 if (checkSequenceNumber(writeAuthenticator, eor.contentType())) { 1318 hsStatus = getHSStatus(null); 1319 } 1320 } 1321 1322 /* 1323 * turn off the flag of the first application record if we really 1324 * consumed at least byte. 1325 */ 1326 if (isFirstAppOutputRecord && ea.deltaApp() > 0) { 1327 isFirstAppOutputRecord = false; 1328 } 1329 1330 return hsStatus; 1331 } 1332 1333 /* 1334 * Need to split the payload except the following cases: 1335 * 1336 * 1. protocol version is TLS 1.1 or later; 1337 * 2. bulk cipher does not use CBC mode, including null bulk cipher suites. 1338 * 3. the payload is the first application record of a freshly 1339 * negotiated TLS session. 1340 * 4. the CBC protection is disabled; 1341 * 1342 * More details, please refer to 1343 * EngineOutputRecord.write(EngineArgs, MAC, CipherBox). 1344 */ 1345 boolean needToSplitPayload(CipherBox cipher, ProtocolVersion protocol) { 1346 return (protocol.v <= ProtocolVersion.TLS10.v) && 1347 cipher.isCBCMode() && !isFirstAppOutputRecord && 1348 Record.enableCBCProtection; 1349 } 1350 1351 /* 1352 * Non-application OutputRecords go through here. 1353 */ 1354 void writeRecord(EngineOutputRecord eor) throws IOException { 1355 // eventually compress as well. 1356 writer.writeRecord(eor, writeAuthenticator, writeCipher); 1357 1358 /* 1359 * Check the sequence number state 1360 * 1361 * Note that in order to maintain the connection I/O 1362 * properly, we check the sequence number after the last 1363 * record writing process. As we request renegotiation 1364 * or close the connection for wrapped sequence number 1365 * when there is enough sequence number space left to 1366 * handle a few more records, so the sequence number 1367 * of the last record cannot be wrapped. 1368 */ 1369 if ((connectionState < cs_ERROR) && !isOutboundDone()) { 1370 checkSequenceNumber(writeAuthenticator, eor.contentType()); 1371 } 1372 } 1373 1374 // 1375 // Close code 1376 // 1377 1378 /** 1379 * Check the sequence number state 1380 * 1381 * RFC 4346 states that, "Sequence numbers are of type uint64 and 1382 * may not exceed 2^64-1. Sequence numbers do not wrap. If a TLS 1383 * implementation would need to wrap a sequence number, it must 1384 * renegotiate instead." 1385 * 1386 * Return true if the handshake status may be changed. 1387 */ 1388 private boolean checkSequenceNumber(Authenticator authenticator, byte type) 1389 throws IOException { 1390 1391 /* 1392 * Don't bother to check the sequence number for error or 1393 * closed connections, or NULL MAC 1394 */ 1395 if (connectionState >= cs_ERROR || authenticator == MAC.NULL) { 1396 return false; 1397 } 1398 1399 /* 1400 * Conservatively, close the connection immediately when the 1401 * sequence number is close to overflow 1402 */ 1403 if (authenticator.seqNumOverflow()) { 1404 /* 1405 * TLS protocols do not define a error alert for sequence 1406 * number overflow. We use handshake_failure error alert 1407 * for handshaking and bad_record_mac for other records. 1408 */ 1409 if (debug != null && Debug.isOn("ssl")) { 1410 System.out.println(Thread.currentThread().getName() + 1411 ", sequence number extremely close to overflow " + 1412 "(2^64-1 packets). Closing connection."); 1413 } 1414 1415 fatal(Alerts.alert_handshake_failure, "sequence number overflow"); 1416 1417 return true; // make the compiler happy 1418 } 1419 1420 /* 1421 * Ask for renegotiation when need to renew sequence number. 1422 * 1423 * Don't bother to kickstart the renegotiation when the local is 1424 * asking for it. 1425 */ 1426 if ((type != Record.ct_handshake) && authenticator.seqNumIsHuge()) { 1427 if (debug != null && Debug.isOn("ssl")) { 1428 System.out.println(Thread.currentThread().getName() + 1429 ", request renegotiation " + 1430 "to avoid sequence number overflow"); 1431 } 1432 1433 beginHandshake(); 1434 return true; 1435 } 1436 1437 return false; 1438 } 1439 1440 /** 1441 * Signals that no more outbound application data will be sent 1442 * on this <code>SSLEngine</code>. 1443 */ 1444 private void closeOutboundInternal() { 1445 1446 if ((debug != null) && Debug.isOn("ssl")) { 1447 System.out.println(Thread.currentThread().getName() + 1448 ", closeOutboundInternal()"); 1449 } 1450 1451 /* 1452 * Already closed, ignore 1453 */ 1454 if (writer.isOutboundDone()) { 1455 return; 1456 } 1457 1458 switch (connectionState) { 1459 1460 /* 1461 * If we haven't even started yet, don't bother reading inbound. 1462 */ 1463 case cs_START: 1464 writer.closeOutbound(); 1465 inboundDone = true; 1466 break; 1467 1468 case cs_ERROR: 1469 case cs_CLOSED: 1470 break; 1471 1472 /* 1473 * Otherwise we indicate clean termination. 1474 */ 1475 // case cs_HANDSHAKE: 1476 // case cs_DATA: 1477 // case cs_RENEGOTIATE: 1478 default: 1479 warning(Alerts.alert_close_notify); 1480 writer.closeOutbound(); 1481 break; 1482 } 1483 1484 // See comment in changeReadCiphers() 1485 writeCipher.dispose(); 1486 1487 connectionState = cs_CLOSED; 1488 } 1489 1490 @Override 1491 synchronized public void closeOutbound() { 1492 /* 1493 * Dump out a close_notify to the remote side 1494 */ 1495 if ((debug != null) && Debug.isOn("ssl")) { 1496 System.out.println(Thread.currentThread().getName() + 1497 ", called closeOutbound()"); 1498 } 1499 1500 closeOutboundInternal(); 1501 } 1502 1503 /** 1504 * Returns the outbound application data closure state 1505 */ 1506 @Override 1507 public boolean isOutboundDone() { 1508 return writer.isOutboundDone(); 1509 } 1510 1511 /** 1512 * Signals that no more inbound network data will be sent 1513 * to this <code>SSLEngine</code>. 1514 */ 1515 private void closeInboundInternal() { 1516 1517 if ((debug != null) && Debug.isOn("ssl")) { 1518 System.out.println(Thread.currentThread().getName() + 1519 ", closeInboundInternal()"); 1520 } 1521 1522 /* 1523 * Already closed, ignore 1524 */ 1525 if (inboundDone) { 1526 return; 1527 } 1528 1529 closeOutboundInternal(); 1530 inboundDone = true; 1531 1532 // See comment in changeReadCiphers() 1533 readCipher.dispose(); 1534 1535 connectionState = cs_CLOSED; 1536 } 1537 1538 /* 1539 * Close the inbound side of the connection. We grab the 1540 * lock here, and do the real work in the internal verison. 1541 * We do check for truncation attacks. 1542 */ 1543 @Override 1544 synchronized public void closeInbound() throws SSLException { 1545 /* 1546 * Currently closes the outbound side as well. The IETF TLS 1547 * working group has expressed the opinion that 1/2 open 1548 * connections are not allowed by the spec. May change 1549 * someday in the future. 1550 */ 1551 if ((debug != null) && Debug.isOn("ssl")) { 1552 System.out.println(Thread.currentThread().getName() + 1553 ", called closeInbound()"); 1554 } 1555 1556 /* 1557 * No need to throw an Exception if we haven't even started yet. 1558 */ 1559 if ((connectionState != cs_START) && !recvCN) { 1560 recvCN = true; // Only receive the Exception once 1561 fatal(Alerts.alert_internal_error, 1562 "Inbound closed before receiving peer's close_notify: " + 1563 "possible truncation attack?"); 1564 } else { 1565 /* 1566 * Currently, this is a no-op, but in case we change 1567 * the close inbound code later. 1568 */ 1569 closeInboundInternal(); 1570 } 1571 } 1572 1573 /** 1574 * Returns the network inbound data closure state 1575 */ 1576 @Override 1577 synchronized public boolean isInboundDone() { 1578 return inboundDone; 1579 } 1580 1581 1582 // 1583 // Misc stuff 1584 // 1585 1586 1587 /** 1588 * Returns the current <code>SSLSession</code> for this 1589 * <code>SSLEngine</code> 1590 * <P> 1591 * These can be long lived, and frequently correspond to an 1592 * entire login session for some user. 1593 */ 1594 @Override 1595 synchronized public SSLSession getSession() { 1596 return sess; 1597 } 1598 1599 @Override 1600 synchronized public SSLSession getHandshakeSession() { 1601 return handshakeSession; 1602 } 1603 1604 synchronized void setHandshakeSession(SSLSessionImpl session) { 1605 handshakeSession = session; 1606 } 1607 1608 /** 1609 * Returns a delegated <code>Runnable</code> task for 1610 * this <code>SSLEngine</code>. 1611 */ 1612 @Override 1613 synchronized public Runnable getDelegatedTask() { 1614 if (handshaker != null) { 1615 return handshaker.getTask(); 1616 } 1617 return null; 1618 } 1619 1620 1621 // 1622 // EXCEPTION AND ALERT HANDLING 1623 // 1624 1625 /* 1626 * Send a warning alert. 1627 */ 1628 void warning(byte description) { 1629 sendAlert(Alerts.alert_warning, description); 1630 } 1631 1632 synchronized void fatal(byte description, String diagnostic) 1633 throws SSLException { 1634 fatal(description, diagnostic, null); 1635 } 1636 1637 synchronized void fatal(byte description, Throwable cause) 1638 throws SSLException { 1639 fatal(description, null, cause); 1640 } 1641 1642 /* 1643 * We've got a fatal error here, so start the shutdown process. 1644 * 1645 * Because of the way the code was written, we have some code 1646 * calling fatal directly when the "description" is known 1647 * and some throwing Exceptions which are then caught by higher 1648 * levels which then call here. This code needs to determine 1649 * if one of the lower levels has already started the process. 1650 * 1651 * We won't worry about Error's, if we have one of those, 1652 * we're in worse trouble. Note: the networking code doesn't 1653 * deal with Errors either. 1654 */ 1655 synchronized void fatal(byte description, String diagnostic, 1656 Throwable cause) throws SSLException { 1657 1658 /* 1659 * If we have no further information, make a general-purpose 1660 * message for folks to see. We generally have one or the other. 1661 */ 1662 if (diagnostic == null) { 1663 diagnostic = "General SSLEngine problem"; 1664 } 1665 if (cause == null) { 1666 cause = Alerts.getSSLException(description, cause, diagnostic); 1667 } 1668 1669 /* 1670 * If we've already shutdown because of an error, 1671 * there is nothing we can do except rethrow the exception. 1672 * 1673 * Most exceptions seen here will be SSLExceptions. 1674 * We may find the occasional Exception which hasn't been 1675 * converted to a SSLException, so we'll do it here. 1676 */ 1677 if (closeReason != null) { 1678 if ((debug != null) && Debug.isOn("ssl")) { 1679 System.out.println(Thread.currentThread().getName() + 1680 ", fatal: engine already closed. Rethrowing " + 1681 cause.toString()); 1682 } 1683 if (cause instanceof RuntimeException) { 1684 throw (RuntimeException)cause; 1685 } else if (cause instanceof SSLException) { 1686 throw (SSLException)cause; 1687 } else if (cause instanceof Exception) { 1688 throw new SSLException("fatal SSLEngine condition", cause); 1689 } 1690 } 1691 1692 if ((debug != null) && Debug.isOn("ssl")) { 1693 System.out.println(Thread.currentThread().getName() 1694 + ", fatal error: " + description + 1695 ": " + diagnostic + "\n" + cause.toString()); 1696 } 1697 1698 /* 1699 * Ok, this engine's going down. 1700 */ 1701 int oldState = connectionState; 1702 connectionState = cs_ERROR; 1703 1704 inboundDone = true; 1705 1706 sess.invalidate(); 1707 if (handshakeSession != null) { 1708 handshakeSession.invalidate(); 1709 } 1710 1711 /* 1712 * If we haven't even started handshaking yet, no need 1713 * to generate the fatal close alert. 1714 */ 1715 if (oldState != cs_START) { 1716 sendAlert(Alerts.alert_fatal, description); 1717 } 1718 1719 if (cause instanceof SSLException) { // only true if != null 1720 closeReason = (SSLException)cause; 1721 } else { 1722 /* 1723 * Including RuntimeExceptions, but we'll throw those 1724 * down below. The closeReason isn't used again, 1725 * except for null checks. 1726 */ 1727 closeReason = 1728 Alerts.getSSLException(description, cause, diagnostic); 1729 } 1730 1731 writer.closeOutbound(); 1732 1733 connectionState = cs_CLOSED; 1734 1735 // See comment in changeReadCiphers() 1736 readCipher.dispose(); 1737 writeCipher.dispose(); 1738 1739 if (cause instanceof RuntimeException) { 1740 throw (RuntimeException)cause; 1741 } else { 1742 throw closeReason; 1743 } 1744 } 1745 1746 /* 1747 * Process an incoming alert ... caller must already have synchronized 1748 * access to "this". 1749 */ 1750 private void recvAlert() throws IOException { 1751 byte level = (byte)inputRecord.read(); 1752 byte description = (byte)inputRecord.read(); 1753 if (description == -1) { // check for short message 1754 fatal(Alerts.alert_illegal_parameter, "Short alert message"); 1755 } 1756 1757 if (debug != null && (Debug.isOn("record") || 1758 Debug.isOn("handshake"))) { 1759 synchronized (System.out) { 1760 System.out.print(Thread.currentThread().getName()); 1761 System.out.print(", RECV " + protocolVersion + " ALERT: "); 1762 if (level == Alerts.alert_fatal) { 1763 System.out.print("fatal, "); 1764 } else if (level == Alerts.alert_warning) { 1765 System.out.print("warning, "); 1766 } else { 1767 System.out.print("<level " + (0x0ff & level) + ">, "); 1768 } 1769 System.out.println(Alerts.alertDescription(description)); 1770 } 1771 } 1772 1773 if (level == Alerts.alert_warning) { 1774 if (description == Alerts.alert_close_notify) { 1775 if (connectionState == cs_HANDSHAKE) { 1776 fatal(Alerts.alert_unexpected_message, 1777 "Received close_notify during handshake"); 1778 } else { 1779 recvCN = true; 1780 closeInboundInternal(); // reply to close 1781 } 1782 } else { 1783 1784 // 1785 // The other legal warnings relate to certificates, 1786 // e.g. no_certificate, bad_certificate, etc; these 1787 // are important to the handshaking code, which can 1788 // also handle illegal protocol alerts if needed. 1789 // 1790 if (handshaker != null) { 1791 handshaker.handshakeAlert(description); 1792 } 1793 } 1794 } else { // fatal or unknown level 1795 String reason = "Received fatal alert: " 1796 + Alerts.alertDescription(description); 1797 if (closeReason == null) { 1798 closeReason = Alerts.getSSLException(description, reason); 1799 } 1800 fatal(Alerts.alert_unexpected_message, reason); 1801 } 1802 } 1803 1804 1805 /* 1806 * Emit alerts. Caller must have synchronized with "this". 1807 */ 1808 private void sendAlert(byte level, byte description) { 1809 // the connectionState cannot be cs_START 1810 if (connectionState >= cs_CLOSED) { 1811 return; 1812 } 1813 1814 // For initial handshaking, don't send alert message to peer if 1815 // handshaker has not started. 1816 if (connectionState == cs_HANDSHAKE && 1817 (handshaker == null || !handshaker.started())) { 1818 return; 1819 } 1820 1821 EngineOutputRecord r = new EngineOutputRecord(Record.ct_alert, this); 1822 r.setVersion(protocolVersion); 1823 1824 boolean useDebug = debug != null && Debug.isOn("ssl"); 1825 if (useDebug) { 1826 synchronized (System.out) { 1827 System.out.print(Thread.currentThread().getName()); 1828 System.out.print(", SEND " + protocolVersion + " ALERT: "); 1829 if (level == Alerts.alert_fatal) { 1830 System.out.print("fatal, "); 1831 } else if (level == Alerts.alert_warning) { 1832 System.out.print("warning, "); 1833 } else { 1834 System.out.print("<level = " + (0x0ff & level) + ">, "); 1835 } 1836 System.out.println("description = " 1837 + Alerts.alertDescription(description)); 1838 } 1839 } 1840 1841 r.write(level); 1842 r.write(description); 1843 try { 1844 writeRecord(r); 1845 } catch (IOException e) { 1846 if (useDebug) { 1847 System.out.println(Thread.currentThread().getName() + 1848 ", Exception sending alert: " + e); 1849 } 1850 } 1851 } 1852 1853 1854 // 1855 // VARIOUS OTHER METHODS (COMMON TO SSLSocket) 1856 // 1857 1858 1859 /** 1860 * Controls whether new connections may cause creation of new SSL 1861 * sessions. 1862 * 1863 * As long as handshaking has not started, we can change 1864 * whether we enable session creations. Otherwise, 1865 * we will need to wait for the next handshake. 1866 */ 1867 @Override 1868 synchronized public void setEnableSessionCreation(boolean flag) { 1869 enableSessionCreation = flag; 1870 1871 if ((handshaker != null) && !handshaker.activated()) { 1872 handshaker.setEnableSessionCreation(enableSessionCreation); 1873 } 1874 } 1875 1876 /** 1877 * Returns true if new connections may cause creation of new SSL 1878 * sessions. 1879 */ 1880 @Override 1881 synchronized public boolean getEnableSessionCreation() { 1882 return enableSessionCreation; 1883 } 1884 1885 1886 /** 1887 * Sets the flag controlling whether a server mode engine 1888 * *REQUIRES* SSL client authentication. 1889 * 1890 * As long as handshaking has not started, we can change 1891 * whether client authentication is needed. Otherwise, 1892 * we will need to wait for the next handshake. 1893 */ 1894 @Override 1895 synchronized public void setNeedClientAuth(boolean flag) { 1896 doClientAuth = (flag ? 1897 SSLEngineImpl.clauth_required : SSLEngineImpl.clauth_none); 1898 1899 if ((handshaker != null) && 1900 (handshaker instanceof ServerHandshaker) && 1901 !handshaker.activated()) { 1902 ((ServerHandshaker) handshaker).setClientAuth(doClientAuth); 1903 } 1904 } 1905 1906 @Override 1907 synchronized public boolean getNeedClientAuth() { 1908 return (doClientAuth == SSLEngineImpl.clauth_required); 1909 } 1910 1911 /** 1912 * Sets the flag controlling whether a server mode engine 1913 * *REQUESTS* SSL client authentication. 1914 * 1915 * As long as handshaking has not started, we can change 1916 * whether client authentication is requested. Otherwise, 1917 * we will need to wait for the next handshake. 1918 */ 1919 @Override 1920 synchronized public void setWantClientAuth(boolean flag) { 1921 doClientAuth = (flag ? 1922 SSLEngineImpl.clauth_requested : SSLEngineImpl.clauth_none); 1923 1924 if ((handshaker != null) && 1925 (handshaker instanceof ServerHandshaker) && 1926 !handshaker.activated()) { 1927 ((ServerHandshaker) handshaker).setClientAuth(doClientAuth); 1928 } 1929 } 1930 1931 @Override 1932 synchronized public boolean getWantClientAuth() { 1933 return (doClientAuth == SSLEngineImpl.clauth_requested); 1934 } 1935 1936 1937 /** 1938 * Sets the flag controlling whether the engine is in SSL 1939 * client or server mode. Must be called before any SSL 1940 * traffic has started. 1941 */ 1942 @Override 1943 @SuppressWarnings("fallthrough") 1944 synchronized public void setUseClientMode(boolean flag) { 1945 switch (connectionState) { 1946 1947 case cs_START: 1948 /* 1949 * If we need to change the engine mode and the enabled 1950 * protocols haven't specifically been set by the user, 1951 * change them to the corresponding default ones. 1952 */ 1953 if (roleIsServer != (!flag) && 1954 sslContext.isDefaultProtocolList(enabledProtocols)) { 1955 enabledProtocols = sslContext.getDefaultProtocolList(!flag); 1956 } 1957 1958 roleIsServer = !flag; 1959 serverModeSet = true; 1960 break; 1961 1962 case cs_HANDSHAKE: 1963 /* 1964 * If we have a handshaker, but haven't started 1965 * SSL traffic, we can throw away our current 1966 * handshaker, and start from scratch. Don't 1967 * need to call doneConnect() again, we already 1968 * have the streams. 1969 */ 1970 assert(handshaker != null); 1971 if (!handshaker.activated()) { 1972 /* 1973 * If we need to change the engine mode and the enabled 1974 * protocols haven't specifically been set by the user, 1975 * change them to the corresponding default ones. 1976 */ 1977 if (roleIsServer != (!flag) && 1978 sslContext.isDefaultProtocolList(enabledProtocols)) { 1979 enabledProtocols = sslContext.getDefaultProtocolList(!flag); 1980 } 1981 1982 roleIsServer = !flag; 1983 connectionState = cs_START; 1984 initHandshaker(); 1985 break; 1986 } 1987 1988 // If handshake has started, that's an error. Fall through... 1989 1990 default: 1991 if (debug != null && Debug.isOn("ssl")) { 1992 System.out.println(Thread.currentThread().getName() + 1993 ", setUseClientMode() invoked in state = " + 1994 connectionState); 1995 } 1996 1997 /* 1998 * We can let them continue if they catch this correctly, 1999 * we don't need to shut this down. 2000 */ 2001 throw new IllegalArgumentException( 2002 "Cannot change mode after SSL traffic has started"); 2003 } 2004 } 2005 2006 @Override 2007 synchronized public boolean getUseClientMode() { 2008 return !roleIsServer; 2009 } 2010 2011 2012 /** 2013 * Returns the names of the cipher suites which could be enabled for use 2014 * on an SSL connection. Normally, only a subset of these will actually 2015 * be enabled by default, since this list may include cipher suites which 2016 * do not support the mutual authentication of servers and clients, or 2017 * which do not protect data confidentiality. Servers may also need 2018 * certain kinds of certificates to use certain cipher suites. 2019 * 2020 * @return an array of cipher suite names 2021 */ 2022 @Override 2023 public String[] getSupportedCipherSuites() { 2024 return sslContext.getSupportedCipherSuiteList().toStringArray(); 2025 } 2026 2027 /** 2028 * Controls which particular cipher suites are enabled for use on 2029 * this connection. The cipher suites must have been listed by 2030 * getCipherSuites() as being supported. Even if a suite has been 2031 * enabled, it might never be used if no peer supports it or the 2032 * requisite certificates (and private keys) are not available. 2033 * 2034 * @param suites Names of all the cipher suites to enable. 2035 */ 2036 @Override 2037 synchronized public void setEnabledCipherSuites(String[] suites) { 2038 enabledCipherSuites = new CipherSuiteList(suites); 2039 if ((handshaker != null) && !handshaker.activated()) { 2040 handshaker.setEnabledCipherSuites(enabledCipherSuites); 2041 } 2042 } 2043 2044 /** 2045 * Returns the names of the SSL cipher suites which are currently enabled 2046 * for use on this connection. When an SSL engine is first created, 2047 * all enabled cipher suites <em>(a)</em> protect data confidentiality, 2048 * by traffic encryption, and <em>(b)</em> can mutually authenticate 2049 * both clients and servers. Thus, in some environments, this value 2050 * might be empty. 2051 * 2052 * @return an array of cipher suite names 2053 */ 2054 @Override 2055 synchronized public String[] getEnabledCipherSuites() { 2056 return enabledCipherSuites.toStringArray(); 2057 } 2058 2059 2060 /** 2061 * Returns the protocols that are supported by this implementation. 2062 * A subset of the supported protocols may be enabled for this connection 2063 * @return an array of protocol names. 2064 */ 2065 @Override 2066 public String[] getSupportedProtocols() { 2067 return sslContext.getSuportedProtocolList().toStringArray(); 2068 } 2069 2070 /** 2071 * Controls which protocols are enabled for use on 2072 * this connection. The protocols must have been listed by 2073 * getSupportedProtocols() as being supported. 2074 * 2075 * @param protocols protocols to enable. 2076 * @exception IllegalArgumentException when one of the protocols 2077 * named by the parameter is not supported. 2078 */ 2079 @Override 2080 synchronized public void setEnabledProtocols(String[] protocols) { 2081 enabledProtocols = new ProtocolList(protocols); 2082 if ((handshaker != null) && !handshaker.activated()) { 2083 handshaker.setEnabledProtocols(enabledProtocols); 2084 } 2085 } 2086 2087 @Override 2088 synchronized public String[] getEnabledProtocols() { 2089 return enabledProtocols.toStringArray(); 2090 } 2091 2092 /** 2093 * Returns the SSLParameters in effect for this SSLEngine. 2094 */ 2095 @Override 2096 synchronized public SSLParameters getSSLParameters() { 2097 SSLParameters params = super.getSSLParameters(); 2098 2099 // the super implementation does not handle the following parameters 2100 params.setEndpointIdentificationAlgorithm(identificationProtocol); 2101 params.setAlgorithmConstraints(algorithmConstraints); 2102 params.setSNIMatchers(sniMatchers); 2103 params.setServerNames(serverNames); 2104 params.setUseCipherSuitesOrder(preferLocalCipherSuites); 2105 2106 return params; 2107 } 2108 2109 /** 2110 * Applies SSLParameters to this engine. 2111 */ 2112 @Override 2113 synchronized public void setSSLParameters(SSLParameters params) { 2114 super.setSSLParameters(params); 2115 2116 // the super implementation does not handle the following parameters 2117 identificationProtocol = params.getEndpointIdentificationAlgorithm(); 2118 algorithmConstraints = params.getAlgorithmConstraints(); 2119 preferLocalCipherSuites = params.getUseCipherSuitesOrder(); 2120 2121 List<SNIServerName> sniNames = params.getServerNames(); 2122 if (sniNames != null) { 2123 serverNames = sniNames; 2124 } 2125 2126 Collection<SNIMatcher> matchers = params.getSNIMatchers(); 2127 if (matchers != null) { 2128 sniMatchers = matchers; 2129 } 2130 2131 if ((handshaker != null) && !handshaker.started()) { 2132 handshaker.setIdentificationProtocol(identificationProtocol); 2133 handshaker.setAlgorithmConstraints(algorithmConstraints); 2134 if (roleIsServer) { 2135 handshaker.setSNIMatchers(sniMatchers); 2136 handshaker.setUseCipherSuitesOrder(preferLocalCipherSuites); 2137 } else { 2138 handshaker.setSNIServerNames(serverNames); 2139 } 2140 } 2141 } 2142 2143 /** 2144 * Returns a boolean indicating whether the ChangeCipherSpec message 2145 * has been received for this handshake. 2146 */ 2147 boolean receivedChangeCipherSpec() { 2148 return receivedCCS; 2149 } 2150 2151 /** 2152 * Returns a printable representation of this end of the connection. 2153 */ 2154 @Override 2155 public String toString() { 2156 StringBuilder retval = new StringBuilder(80); 2157 2158 retval.append(Integer.toHexString(hashCode())); 2159 retval.append("["); 2160 retval.append("SSLEngine[hostname="); 2161 String host = getPeerHost(); 2162 retval.append((host == null) ? "null" : host); 2163 retval.append(" port="); 2164 retval.append(Integer.toString(getPeerPort())); 2165 retval.append("] "); 2166 retval.append(getSession().getCipherSuite()); 2167 retval.append("]"); 2168 2169 return retval.toString(); 2170 } 2171 }