1 /* 2 * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 27 package sun.security.ssl; 28 29 import java.io.*; 30 import java.nio.*; 31 import java.net.*; 32 import java.security.GeneralSecurityException; 33 import java.security.AccessController; 34 import java.security.AccessControlContext; 35 import java.security.PrivilegedAction; 36 import java.security.AlgorithmConstraints; 37 import java.util.*; 38 import java.util.concurrent.TimeUnit; 39 import java.util.concurrent.locks.ReentrantLock; 40 41 import javax.crypto.BadPaddingException; 42 import javax.net.ssl.*; 43 import sun.misc.ManagedLocalsThread; 44 45 import jdk.internal.misc.JavaNetInetAddressAccess; 46 import jdk.internal.misc.SharedSecrets; 47 48 /** 49 * Implementation of an SSL socket. This is a normal connection type 50 * socket, implementing SSL over some lower level socket, such as TCP. 51 * Because it is layered over some lower level socket, it MUST override 52 * all default socket methods. 53 * 54 * <P> This API offers a non-traditional option for establishing SSL 55 * connections. You may first establish the connection directly, then pass 56 * that connection to the SSL socket constructor with a flag saying which 57 * role should be taken in the handshake protocol. (The two ends of the 58 * connection must not choose the same role!) This allows setup of SSL 59 * proxying or tunneling, and also allows the kind of "role reversal" 60 * that is required for most FTP data transfers. 61 * 62 * @see javax.net.ssl.SSLSocket 63 * @see SSLServerSocket 64 * 65 * @author David Brownell 66 */ 67 public final class SSLSocketImpl extends BaseSSLSocketImpl { 68 69 /* 70 * ERROR HANDLING GUIDELINES 71 * (which exceptions to throw and catch and which not to throw and catch) 72 * 73 * . if there is an IOException (SocketException) when accessing the 74 * underlying Socket, pass it through 75 * 76 * . do not throw IOExceptions, throw SSLExceptions (or a subclass) 77 * 78 * . for internal errors (things that indicate a bug in JSSE or a 79 * grossly misconfigured J2RE), throw either an SSLException or 80 * a RuntimeException at your convenience. 81 * 82 * . handshaking code (Handshaker or HandshakeMessage) should generally 83 * pass through exceptions, but can handle them if they know what to 84 * do. 85 * 86 * . exception chaining should be used for all new code. If you happen 87 * to touch old code that does not use chaining, you should change it. 88 * 89 * . there is a top level exception handler that sits at all entry 90 * points from application code to SSLSocket read/write code. It 91 * makes sure that all errors are handled (see handleException()). 92 * 93 * . JSSE internal code should generally not call close(), call 94 * closeInternal(). 95 */ 96 97 /* 98 * There's a state machine associated with each connection, which 99 * among other roles serves to negotiate session changes. 100 * 101 * - START with constructor, until the TCP connection's around. 102 * - HANDSHAKE picks session parameters before allowing traffic. 103 * There are many substates due to sequencing requirements 104 * for handshake messages. 105 * - DATA may be transmitted. 106 * - RENEGOTIATE state allows concurrent data and handshaking 107 * traffic ("same" substates as HANDSHAKE), and terminates 108 * in selection of new session (and connection) parameters 109 * - ERROR state immediately precedes abortive disconnect. 110 * - SENT_CLOSE sent a close_notify to the peer. For layered, 111 * non-autoclose socket, must now read close_notify 112 * from peer before closing the connection. For nonlayered or 113 * non-autoclose socket, close connection and go onto 114 * cs_CLOSED state. 115 * - CLOSED after sending close_notify alert, & socket is closed. 116 * SSL connection objects are not reused. 117 * - APP_CLOSED once the application calls close(). Then it behaves like 118 * a closed socket, e.g.. getInputStream() throws an Exception. 119 * 120 * State affects what SSL record types may legally be sent: 121 * 122 * - Handshake ... only in HANDSHAKE and RENEGOTIATE states 123 * - App Data ... only in DATA and RENEGOTIATE states 124 * - Alert ... in HANDSHAKE, DATA, RENEGOTIATE 125 * 126 * Re what may be received: same as what may be sent, except that 127 * HandshakeRequest handshaking messages can come from servers even 128 * in the application data state, to request entry to RENEGOTIATE. 129 * 130 * The state machine within HANDSHAKE and RENEGOTIATE states controls 131 * the pending session, not the connection state, until the change 132 * cipher spec and "Finished" handshake messages are processed and 133 * make the "new" session become the current one. 134 * 135 * NOTE: details of the SMs always need to be nailed down better. 136 * The text above illustrates the core ideas. 137 * 138 * +---->-------+------>--------->-------+ 139 * | | | 140 * <-----< ^ ^ <-----< v 141 *START>----->HANDSHAKE>----->DATA>----->RENEGOTIATE SENT_CLOSE 142 * v v v | | 143 * | | | | v 144 * +------------+---------------+ v ERROR 145 * | | | 146 * v | | 147 * ERROR>------>----->CLOSED<--------<----+-- + 148 * | 149 * v 150 * APP_CLOSED 151 * 152 * ALSO, note that the purpose of handshaking (renegotiation is 153 * included) is to assign a different, and perhaps new, session to 154 * the connection. The SSLv3 spec is a bit confusing on that new 155 * protocol feature. 156 */ 157 private static final int cs_START = 0; 158 private static final int cs_HANDSHAKE = 1; 159 private static final int cs_DATA = 2; 160 private static final int cs_RENEGOTIATE = 3; 161 private static final int cs_ERROR = 4; 162 private static final int cs_SENT_CLOSE = 5; 163 private static final int cs_CLOSED = 6; 164 private static final int cs_APP_CLOSED = 7; 165 166 /* 167 * Drives the protocol state machine. 168 */ 169 private volatile int connectionState; 170 171 /* 172 * Flag indicating if the next record we receive MUST be a Finished 173 * message. Temporarily set during the handshake to ensure that 174 * a change cipher spec message is followed by a finished message. 175 */ 176 private boolean expectingFinished; 177 178 /* 179 * For improved diagnostics, we detail connection closure 180 * If the socket is closed (connectionState >= cs_ERROR), 181 * closeReason != null indicates if the socket was closed 182 * because of an error or because or normal shutdown. 183 */ 184 private SSLException closeReason; 185 186 /* 187 * Per-connection private state that doesn't change when the 188 * session is changed. 189 */ 190 private ClientAuthType doClientAuth = 191 ClientAuthType.CLIENT_AUTH_NONE; 192 private boolean roleIsServer; 193 private boolean enableSessionCreation = true; 194 private String host; 195 private boolean autoClose = true; 196 private AccessControlContext acc; 197 198 // The cipher suites enabled for use on this connection. 199 private CipherSuiteList enabledCipherSuites; 200 201 // The endpoint identification protocol 202 private String identificationProtocol = null; 203 204 // The cryptographic algorithm constraints 205 private AlgorithmConstraints algorithmConstraints = null; 206 207 // The server name indication and matchers 208 List<SNIServerName> serverNames = 209 Collections.<SNIServerName>emptyList(); 210 Collection<SNIMatcher> sniMatchers = 211 Collections.<SNIMatcher>emptyList(); 212 213 // Is the serverNames set to empty with SSLParameters.setServerNames()? 214 private boolean noSniExtension = false; 215 216 // Is the sniMatchers set to empty with SSLParameters.setSNIMatchers()? 217 private boolean noSniMatcher = false; 218 219 // Configured application protocol values 220 String[] applicationProtocols = new String[0]; 221 222 // Negotiated application protocol value. 223 // 224 // The value under negotiation will be obtained from handshaker. 225 String applicationProtocol = null; 226 227 /* 228 * READ ME * READ ME * READ ME * READ ME * READ ME * READ ME * 229 * IMPORTANT STUFF TO UNDERSTANDING THE SYNCHRONIZATION ISSUES. 230 * READ ME * READ ME * READ ME * READ ME * READ ME * READ ME * 231 * 232 * There are several locks here. 233 * 234 * The primary lock is the per-instance lock used by 235 * synchronized(this) and the synchronized methods. It controls all 236 * access to things such as the connection state and variables which 237 * affect handshaking. If we are inside a synchronized method, we 238 * can access the state directly, otherwise, we must use the 239 * synchronized equivalents. 240 * 241 * The handshakeLock is used to ensure that only one thread performs 242 * the *complete initial* handshake. If someone is handshaking, any 243 * stray application or startHandshake() requests who find the 244 * connection state is cs_HANDSHAKE will stall on handshakeLock 245 * until handshaking is done. Once the handshake is done, we either 246 * succeeded or failed, but we can never go back to the cs_HANDSHAKE 247 * or cs_START state again. 248 * 249 * Note that the read/write() calls here in SSLSocketImpl are not 250 * obviously synchronized. In fact, it's very nonintuitive, and 251 * requires careful examination of code paths. Grab some coffee, 252 * and be careful with any code changes. 253 * 254 * There can be only three threads active at a time in the I/O 255 * subsection of this class. 256 * 1. startHandshake 257 * 2. AppInputStream 258 * 3. AppOutputStream 259 * One thread could call startHandshake(). 260 * AppInputStream/AppOutputStream read() and write() calls are each 261 * synchronized on 'this' in their respective classes, so only one 262 * app. thread will be doing a SSLSocketImpl.read() or .write()'s at 263 * a time. 264 * 265 * If handshaking is required (state cs_HANDSHAKE), and 266 * getConnectionState() for some/all threads returns cs_HANDSHAKE, 267 * only one can grab the handshakeLock, and the rest will stall 268 * either on getConnectionState(), or on the handshakeLock if they 269 * happen to successfully race through the getConnectionState(). 270 * 271 * If a writer is doing the initial handshaking, it must create a 272 * temporary reader to read the responses from the other side. As a 273 * side-effect, the writer's reader will have priority over any 274 * other reader. However, the writer's reader is not allowed to 275 * consume any application data. When handshakeLock is finally 276 * released, we either have a cs_DATA connection, or a 277 * cs_CLOSED/cs_ERROR socket. 278 * 279 * The writeLock is held while writing on a socket connection and 280 * also to protect the MAC and cipher for their direction. The 281 * writeLock is package private for Handshaker which holds it while 282 * writing the ChangeCipherSpec message. 283 * 284 * To avoid the problem of a thread trying to change operational 285 * modes on a socket while handshaking is going on, we synchronize 286 * on 'this'. If handshaking has not started yet, we tell the 287 * handshaker to change its mode. If handshaking has started, 288 * we simply store that request until the next pending session 289 * is created, at which time the new handshaker's state is set. 290 * 291 * The readLock is held during readRecord(), which is responsible 292 * for reading an SSLInputRecord, decrypting it, and processing it. 293 * The readLock ensures that these three steps are done atomically 294 * and that once started, no other thread can block on SSLInputRecord.read. 295 * This is necessary so that processing of close_notify alerts 296 * from the peer are handled properly. 297 */ 298 private final Object handshakeLock = new Object(); 299 final ReentrantLock writeLock = new ReentrantLock(); 300 private final Object readLock = new Object(); 301 302 InputRecord inputRecord; 303 OutputRecord outputRecord; 304 305 /* 306 * security parameters for secure renegotiation. 307 */ 308 private boolean secureRenegotiation; 309 private byte[] clientVerifyData; 310 private byte[] serverVerifyData; 311 312 /* 313 * The authentication context holds all information used to establish 314 * who this end of the connection is (certificate chains, private keys, 315 * etc) and who is trusted (e.g. as CAs or websites). 316 */ 317 private SSLContextImpl sslContext; 318 319 320 /* 321 * This connection is one of (potentially) many associated with 322 * any given session. The output of the handshake protocol is a 323 * new session ... although all the protocol description talks 324 * about changing the cipher spec (and it does change), in fact 325 * that's incidental since it's done by changing everything that 326 * is associated with a session at the same time. (TLS/IETF may 327 * change that to add client authentication w/o new key exchg.) 328 */ 329 private Handshaker handshaker; 330 private SSLSessionImpl sess; 331 private volatile SSLSessionImpl handshakeSession; 332 333 334 /* 335 * If anyone wants to get notified about handshake completions, 336 * they'll show up on this list. 337 */ 338 private HashMap<HandshakeCompletedListener, AccessControlContext> 339 handshakeListeners; 340 341 /* 342 * Reuse the same internal input/output streams. 343 */ 344 private InputStream sockInput; 345 private OutputStream sockOutput; 346 347 348 /* 349 * These input and output streams block their data in SSL records, 350 * and usually arrange integrity and privacy protection for those 351 * records. The guts of the SSL protocol are wrapped up in these 352 * streams, and in the handshaking that establishes the details of 353 * that integrity and privacy protection. 354 */ 355 private AppInputStream input; 356 private AppOutputStream output; 357 358 /* 359 * The protocol versions enabled for use on this connection. 360 * 361 * Note: we support a pseudo protocol called SSLv2Hello which when 362 * set will result in an SSL v2 Hello being sent with SSL (version 3.0) 363 * or TLS (version 3.1, 3.2, etc.) version info. 364 */ 365 private ProtocolList enabledProtocols; 366 367 /* 368 * The SSL version associated with this connection. 369 */ 370 private ProtocolVersion protocolVersion = ProtocolVersion.DEFAULT_TLS; 371 372 /* Class and subclass dynamic debugging support */ 373 private static final Debug debug = Debug.getInstance("ssl"); 374 375 /* 376 * Is it the first application record to write? 377 */ 378 private boolean isFirstAppOutputRecord = true; 379 380 /* 381 * If AppOutputStream needs to delay writes of small packets, we 382 * will use this to store the data until we actually do the write. 383 */ 384 private ByteArrayOutputStream heldRecordBuffer = null; 385 386 /* 387 * Whether local cipher suites preference in server side should be 388 * honored during handshaking? 389 */ 390 private boolean preferLocalCipherSuites = false; 391 392 /* 393 * The maximum expected network packet size for SSL/TLS/DTLS records. 394 */ 395 private int maximumPacketSize = 0; 396 397 /* 398 * Is the local name service trustworthy? 399 * 400 * If the local name service is not trustworthy, reverse host name 401 * resolution should not be performed for endpoint identification. 402 */ 403 static final boolean trustNameService = 404 Debug.getBooleanProperty("jdk.tls.trustNameService", false); 405 406 // 407 // CONSTRUCTORS AND INITIALIZATION CODE 408 // 409 410 /** 411 * Constructs an SSL connection to a named host at a specified port, 412 * using the authentication context provided. This endpoint acts as 413 * the client, and may rejoin an existing SSL session if appropriate. 414 * 415 * @param context authentication context to use 416 * @param host name of the host with which to connect 417 * @param port number of the server's port 418 */ 419 SSLSocketImpl(SSLContextImpl context, String host, int port) 420 throws IOException, UnknownHostException { 421 super(); 422 this.host = host; 423 this.serverNames = 424 Utilities.addToSNIServerNameList(this.serverNames, this.host); 425 init(context, false); 426 SocketAddress socketAddress = 427 host != null ? new InetSocketAddress(host, port) : 428 new InetSocketAddress(InetAddress.getByName(null), port); 429 connect(socketAddress, 0); 430 } 431 432 433 /** 434 * Constructs an SSL connection to a server at a specified address. 435 * and TCP port, using the authentication context provided. This 436 * endpoint acts as the client, and may rejoin an existing SSL session 437 * if appropriate. 438 * 439 * @param context authentication context to use 440 * @param address the server's host 441 * @param port its port 442 */ 443 SSLSocketImpl(SSLContextImpl context, InetAddress host, int port) 444 throws IOException { 445 super(); 446 init(context, false); 447 SocketAddress socketAddress = new InetSocketAddress(host, port); 448 connect(socketAddress, 0); 449 } 450 451 /** 452 * Constructs an SSL connection to a named host at a specified port, 453 * using the authentication context provided. This endpoint acts as 454 * the client, and may rejoin an existing SSL session if appropriate. 455 * 456 * @param context authentication context to use 457 * @param host name of the host with which to connect 458 * @param port number of the server's port 459 * @param localAddr the local address the socket is bound to 460 * @param localPort the local port the socket is bound to 461 */ 462 SSLSocketImpl(SSLContextImpl context, String host, int port, 463 InetAddress localAddr, int localPort) 464 throws IOException, UnknownHostException { 465 super(); 466 this.host = host; 467 this.serverNames = 468 Utilities.addToSNIServerNameList(this.serverNames, this.host); 469 init(context, false); 470 bind(new InetSocketAddress(localAddr, localPort)); 471 SocketAddress socketAddress = 472 host != null ? new InetSocketAddress(host, port) : 473 new InetSocketAddress(InetAddress.getByName(null), port); 474 connect(socketAddress, 0); 475 } 476 477 478 /** 479 * Constructs an SSL connection to a server at a specified address. 480 * and TCP port, using the authentication context provided. This 481 * endpoint acts as the client, and may rejoin an existing SSL session 482 * if appropriate. 483 * 484 * @param context authentication context to use 485 * @param address the server's host 486 * @param port its port 487 * @param localAddr the local address the socket is bound to 488 * @param localPort the local port the socket is bound to 489 */ 490 SSLSocketImpl(SSLContextImpl context, InetAddress host, int port, 491 InetAddress localAddr, int localPort) 492 throws IOException { 493 super(); 494 init(context, false); 495 bind(new InetSocketAddress(localAddr, localPort)); 496 SocketAddress socketAddress = new InetSocketAddress(host, port); 497 connect(socketAddress, 0); 498 } 499 500 /* 501 * Package-private constructor used ONLY by SSLServerSocket. The 502 * java.net package accepts the TCP connection after this call is 503 * made. This just initializes handshake state to use "server mode", 504 * giving control over the use of SSL client authentication. 505 */ 506 SSLSocketImpl(SSLContextImpl context, boolean serverMode, 507 CipherSuiteList suites, ClientAuthType clientAuth, 508 boolean sessionCreation, ProtocolList protocols, 509 String identificationProtocol, 510 AlgorithmConstraints algorithmConstraints, 511 Collection<SNIMatcher> sniMatchers, 512 boolean preferLocalCipherSuites) throws IOException { 513 514 super(); 515 doClientAuth = clientAuth; 516 enableSessionCreation = sessionCreation; 517 this.identificationProtocol = identificationProtocol; 518 this.algorithmConstraints = algorithmConstraints; 519 this.sniMatchers = sniMatchers; 520 this.preferLocalCipherSuites = preferLocalCipherSuites; 521 init(context, serverMode); 522 523 /* 524 * Override what was picked out for us. 525 */ 526 enabledCipherSuites = suites; 527 enabledProtocols = protocols; 528 } 529 530 531 /** 532 * Package-private constructor used to instantiate an unconnected 533 * socket. The java.net package will connect it, either when the 534 * connect() call is made by the application. This instance is 535 * meant to set handshake state to use "client mode". 536 */ 537 SSLSocketImpl(SSLContextImpl context) { 538 super(); 539 init(context, false); 540 } 541 542 543 /** 544 * Layer SSL traffic over an existing connection, rather than creating 545 * a new connection. The existing connection may be used only for SSL 546 * traffic (using this SSLSocket) until the SSLSocket.close() call 547 * returns. However, if a protocol error is detected, that existing 548 * connection is automatically closed. 549 * 550 * <P> This particular constructor always uses the socket in the 551 * role of an SSL client. It may be useful in cases which start 552 * using SSL after some initial data transfers, for example in some 553 * SSL tunneling applications or as part of some kinds of application 554 * protocols which negotiate use of a SSL based security. 555 * 556 * @param sock the existing connection 557 * @param context the authentication context to use 558 */ 559 SSLSocketImpl(SSLContextImpl context, Socket sock, String host, 560 int port, boolean autoClose) throws IOException { 561 super(sock); 562 // We always layer over a connected socket 563 if (!sock.isConnected()) { 564 throw new SocketException("Underlying socket is not connected"); 565 } 566 this.host = host; 567 this.serverNames = 568 Utilities.addToSNIServerNameList(this.serverNames, this.host); 569 init(context, false); 570 this.autoClose = autoClose; 571 doneConnect(); 572 } 573 574 /** 575 * Creates a server mode {@link Socket} layered over an 576 * existing connected socket, and is able to read data which has 577 * already been consumed/removed from the {@link Socket}'s 578 * underlying {@link InputStream}. 579 */ 580 SSLSocketImpl(SSLContextImpl context, Socket sock, 581 InputStream consumed, boolean autoClose) throws IOException { 582 super(sock, consumed); 583 // We always layer over a connected socket 584 if (!sock.isConnected()) { 585 throw new SocketException("Underlying socket is not connected"); 586 } 587 588 // In server mode, it is not necessary to set host and serverNames. 589 // Otherwise, would require a reverse DNS lookup to get the hostname. 590 591 init(context, true); 592 this.autoClose = autoClose; 593 doneConnect(); 594 } 595 596 /** 597 * Initializes the client socket. 598 */ 599 private void init(SSLContextImpl context, boolean isServer) { 600 sslContext = context; 601 sess = SSLSessionImpl.nullSession; 602 handshakeSession = null; 603 604 /* 605 * role is as specified, state is START until after 606 * the low level connection's established. 607 */ 608 roleIsServer = isServer; 609 connectionState = cs_START; 610 611 // initial security parameters for secure renegotiation 612 secureRenegotiation = false; 613 clientVerifyData = new byte[0]; 614 serverVerifyData = new byte[0]; 615 616 enabledCipherSuites = 617 sslContext.getDefaultCipherSuiteList(roleIsServer); 618 enabledProtocols = 619 sslContext.getDefaultProtocolList(roleIsServer); 620 621 inputRecord = new SSLSocketInputRecord();; 622 outputRecord = new SSLSocketOutputRecord(); 623 624 maximumPacketSize = outputRecord.getMaxPacketSize(); 625 626 // save the acc 627 acc = AccessController.getContext(); 628 629 input = new AppInputStream(this); 630 output = new AppOutputStream(this); 631 } 632 633 /** 634 * Connects this socket to the server with a specified timeout 635 * value. 636 * 637 * This method is either called on an unconnected SSLSocketImpl by the 638 * application, or it is called in the constructor of a regular 639 * SSLSocketImpl. If we are layering on top on another socket, then 640 * this method should not be called, because we assume that the 641 * underlying socket is already connected by the time it is passed to 642 * us. 643 * 644 * @param endpoint the <code>SocketAddress</code> 645 * @param timeout the timeout value to be used, 0 is no timeout 646 * @throws IOException if an error occurs during the connection 647 * @throws SocketTimeoutException if timeout expires before connecting 648 */ 649 @Override 650 public void connect(SocketAddress endpoint, int timeout) 651 throws IOException { 652 653 if (isLayered()) { 654 throw new SocketException("Already connected"); 655 } 656 657 if (!(endpoint instanceof InetSocketAddress)) { 658 throw new SocketException( 659 "Cannot handle non-Inet socket addresses."); 660 } 661 662 super.connect(endpoint, timeout); 663 664 if (host == null || host.length() == 0) { 665 useImplicitHost(false); 666 } 667 668 doneConnect(); 669 } 670 671 /** 672 * Initialize the handshaker and socket streams. 673 * 674 * Called by connect, the layered constructor, and SSLServerSocket. 675 */ 676 void doneConnect() throws IOException { 677 /* 678 * Save the input and output streams. May be done only after 679 * java.net actually connects using the socket "self", else 680 * we get some pretty bizarre failure modes. 681 */ 682 sockInput = super.getInputStream(); 683 sockOutput = super.getOutputStream(); 684 685 inputRecord.setDeliverStream(sockOutput); 686 outputRecord.setDeliverStream(sockOutput); 687 688 /* 689 * Move to handshaking state, with pending session initialized 690 * to defaults and the appropriate kind of handshaker set up. 691 */ 692 initHandshaker(); 693 } 694 695 private synchronized int getConnectionState() { 696 return connectionState; 697 } 698 699 private synchronized void setConnectionState(int state) { 700 connectionState = state; 701 } 702 703 AccessControlContext getAcc() { 704 return acc; 705 } 706 707 // 708 // READING AND WRITING RECORDS 709 // 710 711 /* 712 * Application data record output. 713 * 714 * Application data can't be sent until the first handshake establishes 715 * a session. 716 */ 717 void writeRecord(byte[] source, int offset, int length) throws IOException { 718 /* 719 * The loop is in case of HANDSHAKE --> ERROR transitions, etc 720 */ 721 // Don't bother to check the emptiness of source applicatoin data 722 // before the security connection established. 723 for (boolean readyForApp = false; !readyForApp;) { 724 /* 725 * Not all states support passing application data. We 726 * synchronize access to the connection state, so that 727 * synchronous handshakes can complete cleanly. 728 */ 729 switch (getConnectionState()) { 730 731 /* 732 * We've deferred the initial handshaking till just now, 733 * when presumably a thread's decided it's OK to block for 734 * longish periods of time for I/O purposes (as well as 735 * configured the cipher suites it wants to use). 736 */ 737 case cs_HANDSHAKE: 738 performInitialHandshake(); 739 break; 740 741 case cs_DATA: 742 case cs_RENEGOTIATE: 743 readyForApp = true; 744 break; 745 746 case cs_ERROR: 747 fatal(Alerts.alert_close_notify, 748 "error while writing to socket"); 749 break; // dummy 750 751 case cs_SENT_CLOSE: 752 case cs_CLOSED: 753 case cs_APP_CLOSED: 754 // we should never get here (check in AppOutputStream) 755 // this is just a fallback 756 if (closeReason != null) { 757 throw closeReason; 758 } else { 759 throw new SocketException("Socket closed"); 760 } 761 762 /* 763 * Else something's goofy in this state machine's use. 764 */ 765 default: 766 throw new SSLProtocolException( 767 "State error, send app data"); 768 } 769 } 770 771 // 772 // Don't bother to really write empty records. We went this 773 // far to drive the handshake machinery, for correctness; not 774 // writing empty records improves performance by cutting CPU 775 // time and network resource usage. However, some protocol 776 // implementations are fragile and don't like to see empty 777 // records, so this also increases robustness. 778 // 779 if (length > 0) { 780 writeLock.lock(); 781 try { 782 outputRecord.deliver(source, offset, length); 783 } catch (SSLHandshakeException she) { 784 // may be record sequence number overflow 785 fatal(Alerts.alert_handshake_failure, she); 786 } catch (IOException e) { 787 fatal(Alerts.alert_unexpected_message, e); 788 } finally { 789 writeLock.unlock(); 790 } 791 } 792 793 /* 794 * Check the sequence number state 795 * 796 * Note that in order to maintain the connection I/O 797 * properly, we check the sequence number after the last 798 * record writing process. As we request renegotiation 799 * or close the connection for wrapped sequence number 800 * when there is enough sequence number space left to 801 * handle a few more records, so the sequence number 802 * of the last record cannot be wrapped. 803 * 804 * Don't bother to kickstart the renegotiation when the 805 * local is asking for it. 806 */ 807 if ((connectionState == cs_DATA) && outputRecord.seqNumIsHuge()) { 808 /* 809 * Ask for renegotiation when need to renew sequence number. 810 * 811 * Don't bother to kickstart the renegotiation when the local is 812 * asking for it. 813 */ 814 if (debug != null && Debug.isOn("ssl")) { 815 System.out.println(Thread.currentThread().getName() + 816 ", request renegotiation " + 817 "to avoid sequence number overflow"); 818 } 819 820 startHandshake(); 821 } 822 } 823 824 /* 825 * Alert record output. 826 */ 827 void writeAlert(byte level, byte description) throws IOException { 828 829 // If the record is a close notify alert, we need to honor 830 // socket option SO_LINGER. Note that we will try to send 831 // the close notify even if the SO_LINGER set to zero. 832 if ((description == Alerts.alert_close_notify) && getSoLinger() >= 0) { 833 834 // keep and clear the current thread interruption status. 835 boolean interrupted = Thread.interrupted(); 836 try { 837 if (writeLock.tryLock(getSoLinger(), TimeUnit.SECONDS)) { 838 try { 839 outputRecord.encodeAlert(level, description); 840 } finally { 841 writeLock.unlock(); 842 } 843 } else { 844 SSLException ssle = new SSLException( 845 "SO_LINGER timeout," + 846 " close_notify message cannot be sent."); 847 848 849 // For layered, non-autoclose sockets, we are not 850 // able to bring them into a usable state, so we 851 // treat it as fatal error. 852 if (isLayered() && !autoClose) { 853 // Note that the alert description is 854 // specified as -1, so no message will be send 855 // to peer anymore. 856 fatal((byte)(-1), ssle); 857 } else if ((debug != null) && Debug.isOn("ssl")) { 858 System.out.println( 859 Thread.currentThread().getName() + 860 ", received Exception: " + ssle); 861 } 862 863 // RFC2246 requires that the session becomes 864 // unresumable if any connection is terminated 865 // without proper close_notify messages with 866 // level equal to warning. 867 // 868 // RFC4346 no longer requires that a session not be 869 // resumed if failure to properly close a connection. 870 // 871 // We choose to make the session unresumable if 872 // failed to send the close_notify message. 873 // 874 sess.invalidate(); 875 } 876 } catch (InterruptedException ie) { 877 // keep interrupted status 878 interrupted = true; 879 } 880 881 // restore the interrupted status 882 if (interrupted) { 883 Thread.currentThread().interrupt(); 884 } 885 } else { 886 writeLock.lock(); 887 try { 888 outputRecord.encodeAlert(level, description); 889 } finally { 890 writeLock.unlock(); 891 } 892 } 893 894 // Don't bother to check sequence number overlap here. If sequence 895 // number is huge, there should be enough sequence number space to 896 // request renegotiation in next application data read and write. 897 } 898 899 900 int bytesInCompletePacket() throws IOException { 901 if (getConnectionState() == cs_HANDSHAKE) { 902 performInitialHandshake(); 903 } 904 905 synchronized (readLock) { 906 int state = getConnectionState(); 907 if ((state == cs_CLOSED) || 908 (state == cs_ERROR) || (state == cs_APP_CLOSED)) { 909 return -1; 910 } 911 912 try { 913 return inputRecord.bytesInCompletePacket(sockInput); 914 } catch (EOFException eofe) { 915 boolean handshaking = (connectionState <= cs_HANDSHAKE); 916 boolean rethrow = requireCloseNotify || handshaking; 917 if ((debug != null) && Debug.isOn("ssl")) { 918 System.out.println(Thread.currentThread().getName() + 919 ", received EOFException: " 920 + (rethrow ? "error" : "ignored")); 921 } 922 923 if (!rethrow) { 924 // treat as if we had received a close_notify 925 closeInternal(false); 926 } else { 927 SSLException e; 928 if (handshaking) { 929 e = new SSLHandshakeException( 930 "Remote host terminated the handshake"); 931 } else { 932 e = new SSLProtocolException( 933 "Remote host terminated the handshake"); 934 } 935 e.initCause(eofe); 936 throw e; 937 } 938 } 939 940 return -1; 941 } 942 } 943 944 // the caller have synchronized readLock 945 void expectingFinishFlight() { 946 inputRecord.expectingFinishFlight(); 947 } 948 949 /* 950 * Read an application data record. 951 * 952 * Alerts and handshake messages are internally handled directly. 953 */ 954 int readRecord(ByteBuffer buffer) throws IOException { 955 if (getConnectionState() == cs_HANDSHAKE) { 956 performInitialHandshake(); 957 } 958 959 return readRecord(buffer, true); 960 } 961 962 /* 963 * Read a record, no application data input required. 964 * 965 * Alerts and handshake messages are internally handled directly. 966 */ 967 int readRecord(boolean needAppData) throws IOException { 968 return readRecord(null, needAppData); 969 } 970 971 /* 972 * Clear the pipeline of records from the peer, optionally returning 973 * application data. Caller is responsible for knowing that it's 974 * possible to do this kind of clearing, if they don't want app 975 * data -- e.g. since it's the initial SSL handshake. 976 * 977 * Don't synchronize (this) during a blocking read() since it 978 * protects data which is accessed on the write side as well. 979 */ 980 private int readRecord(ByteBuffer buffer, boolean needAppData) 981 throws IOException { 982 int state; 983 984 // readLock protects reading and processing of an SSLInputRecord. 985 // It keeps the reading from sockInput and processing of the record 986 // atomic so that no two threads can be blocked on the 987 // read from the same input stream at the same time. 988 // This is required for example when a reader thread is 989 // blocked on the read and another thread is trying to 990 // close the socket. For a non-autoclose, layered socket, 991 // the thread performing the close needs to read the close_notify. 992 // 993 // Use readLock instead of 'this' for locking because 994 // 'this' also protects data accessed during writing. 995 synchronized (readLock) { 996 /* 997 * Read and handle records ... return application data 998 * ONLY if it's needed. 999 */ 1000 Plaintext plainText = null; 1001 while (((state = getConnectionState()) != cs_CLOSED) && 1002 (state != cs_ERROR) && (state != cs_APP_CLOSED)) { 1003 // clean the buffer 1004 if (buffer != null) { 1005 buffer.clear(); 1006 } 1007 1008 /* 1009 * Read a record ... maybe emitting an alert if we get a 1010 * comprehensible but unsupported "hello" message during 1011 * format checking (e.g. V2). 1012 */ 1013 try { 1014 plainText = inputRecord.decode(sockInput, buffer); 1015 } catch (BadPaddingException bpe) { 1016 byte alertType = (state != cs_DATA) ? 1017 Alerts.alert_handshake_failure : 1018 Alerts.alert_bad_record_mac; 1019 fatal(alertType, bpe.getMessage(), bpe); 1020 } catch (SSLProtocolException spe) { 1021 try { 1022 fatal(Alerts.alert_unexpected_message, spe); 1023 } catch (IOException x) { 1024 // discard this exception, throw the original exception 1025 } 1026 throw spe; 1027 } catch (SSLHandshakeException she) { 1028 // may be record sequence number overflow 1029 fatal(Alerts.alert_handshake_failure, she); 1030 } catch (EOFException eof) { 1031 boolean handshaking = (connectionState <= cs_HANDSHAKE); 1032 boolean rethrow = requireCloseNotify || handshaking; 1033 if ((debug != null) && Debug.isOn("ssl")) { 1034 System.out.println(Thread.currentThread().getName() + 1035 ", received EOFException: " 1036 + (rethrow ? "error" : "ignored")); 1037 } 1038 if (rethrow) { 1039 SSLException e; 1040 if (handshaking) { 1041 e = new SSLHandshakeException( 1042 "Remote host terminated the handshake"); 1043 } else { 1044 e = new SSLProtocolException( 1045 "Remote host terminated the connection"); 1046 } 1047 e.initCause(eof); 1048 throw e; 1049 } else { 1050 // treat as if we had received a close_notify 1051 closeInternal(false); 1052 continue; 1053 } 1054 } 1055 1056 // PlainText should never be null. Process input record. 1057 int volume = processInputRecord(plainText, needAppData); 1058 1059 if (plainText.contentType == Record.ct_application_data) { 1060 return volume; 1061 } 1062 1063 if (plainText.contentType == Record.ct_handshake) { 1064 if (!needAppData && connectionState == cs_DATA) { 1065 return volume; 1066 } // otherwise, need to read more for app data. 1067 } 1068 1069 // continue to read more net data 1070 } // while 1071 1072 // 1073 // couldn't read, due to some kind of error 1074 // 1075 return -1; 1076 } // readLock synchronization 1077 } 1078 1079 /* 1080 * Process the plainText input record. 1081 */ 1082 private synchronized int processInputRecord( 1083 Plaintext plainText, boolean needAppData) throws IOException { 1084 1085 /* 1086 * Process the record. 1087 */ 1088 int volume = 0; // no application data 1089 switch (plainText.contentType) { 1090 case Record.ct_handshake: 1091 /* 1092 * Handshake messages always go to a pending session 1093 * handshaker ... if there isn't one, create one. This 1094 * must work asynchronously, for renegotiation. 1095 * 1096 * NOTE that handshaking will either resume a session 1097 * which was in the cache (and which might have other 1098 * connections in it already), or else will start a new 1099 * session (new keys exchanged) with just this connection 1100 * in it. 1101 */ 1102 initHandshaker(); 1103 if (!handshaker.activated()) { 1104 // prior to handshaking, activate the handshake 1105 if (connectionState == cs_RENEGOTIATE) { 1106 // don't use SSLv2Hello when renegotiating 1107 handshaker.activate(protocolVersion); 1108 } else { 1109 handshaker.activate(null); 1110 } 1111 } 1112 1113 /* 1114 * process the handshake record ... may contain just 1115 * a partial handshake message or multiple messages. 1116 * 1117 * The handshaker state machine will ensure that it's 1118 * a finished message. 1119 */ 1120 handshaker.processRecord(plainText.fragment, expectingFinished); 1121 expectingFinished = false; 1122 1123 if (handshaker.invalidated) { 1124 handshaker = null; 1125 inputRecord.setHandshakeHash(null); 1126 outputRecord.setHandshakeHash(null); 1127 1128 // if state is cs_RENEGOTIATE, revert it to cs_DATA 1129 if (connectionState == cs_RENEGOTIATE) { 1130 connectionState = cs_DATA; 1131 } 1132 } else if (handshaker.isDone()) { 1133 // reset the parameters for secure renegotiation. 1134 secureRenegotiation = 1135 handshaker.isSecureRenegotiation(); 1136 clientVerifyData = handshaker.getClientVerifyData(); 1137 serverVerifyData = handshaker.getServerVerifyData(); 1138 // set connection ALPN value 1139 applicationProtocol = 1140 handshaker.getHandshakeApplicationProtocol(); 1141 1142 sess = handshaker.getSession(); 1143 handshakeSession = null; 1144 handshaker = null; 1145 inputRecord.setHandshakeHash(null); 1146 outputRecord.setHandshakeHash(null); 1147 connectionState = cs_DATA; 1148 1149 // 1150 // Tell folk about handshake completion, but do 1151 // it in a separate thread. 1152 // 1153 if (handshakeListeners != null) { 1154 HandshakeCompletedEvent event = 1155 new HandshakeCompletedEvent(this, sess); 1156 1157 Thread thread = new ManagedLocalsThread( 1158 new NotifyHandshake( 1159 handshakeListeners.entrySet(), event), 1160 "HandshakeCompletedNotify-Thread"); 1161 thread.start(); 1162 } 1163 } 1164 1165 break; 1166 1167 case Record.ct_application_data: 1168 if (connectionState != cs_DATA 1169 && connectionState != cs_RENEGOTIATE 1170 && connectionState != cs_SENT_CLOSE) { 1171 throw new SSLProtocolException( 1172 "Data received in non-data state: " + 1173 connectionState); 1174 } 1175 if (expectingFinished) { 1176 throw new SSLProtocolException 1177 ("Expecting finished message, received data"); 1178 } 1179 if (!needAppData) { 1180 throw new SSLException("Discarding app data"); 1181 } 1182 1183 volume = plainText.fragment.remaining(); 1184 break; 1185 1186 case Record.ct_alert: 1187 recvAlert(plainText.fragment); 1188 break; 1189 1190 case Record.ct_change_cipher_spec: 1191 if ((connectionState != cs_HANDSHAKE 1192 && connectionState != cs_RENEGOTIATE)) { 1193 // For the CCS message arriving in the wrong state 1194 fatal(Alerts.alert_unexpected_message, 1195 "illegal change cipher spec msg, conn state = " 1196 + connectionState); 1197 } else if (plainText.fragment.remaining() != 1 1198 || plainText.fragment.get() != 1) { 1199 // For structural/content issues with the CCS 1200 fatal(Alerts.alert_unexpected_message, 1201 "Malformed change cipher spec msg"); 1202 } 1203 1204 // 1205 // The first message after a change_cipher_spec 1206 // record MUST be a "Finished" handshake record, 1207 // else it's a protocol violation. We force this 1208 // to be checked by a minor tweak to the state 1209 // machine. 1210 // 1211 handshaker.receiveChangeCipherSpec(); 1212 1213 CipherBox readCipher; 1214 Authenticator readAuthenticator; 1215 try { 1216 readCipher = handshaker.newReadCipher(); 1217 readAuthenticator = handshaker.newReadAuthenticator(); 1218 } catch (GeneralSecurityException e) { 1219 // can't happen 1220 throw new SSLException("Algorithm missing: ", e); 1221 } 1222 inputRecord.changeReadCiphers(readAuthenticator, readCipher); 1223 1224 // next message MUST be a finished message 1225 expectingFinished = true; 1226 1227 break; 1228 1229 default: 1230 // 1231 // TLS requires that unrecognized records be ignored. 1232 // 1233 if (debug != null && Debug.isOn("ssl")) { 1234 System.out.println(Thread.currentThread().getName() + 1235 ", Received record type: " + plainText.contentType); 1236 } 1237 break; 1238 } 1239 1240 /* 1241 * Check the sequence number state 1242 * 1243 * Note that in order to maintain the connection I/O 1244 * properly, we check the sequence number after the last 1245 * record reading process. As we request renegotiation 1246 * or close the connection for wrapped sequence number 1247 * when there is enough sequence number space left to 1248 * handle a few more records, so the sequence number 1249 * of the last record cannot be wrapped. 1250 * 1251 * Don't bother to kickstart the renegotiation when the 1252 * local is asking for it. 1253 */ 1254 if ((connectionState == cs_DATA) && inputRecord.seqNumIsHuge()) { 1255 /* 1256 * Ask for renegotiation when need to renew sequence number. 1257 * 1258 * Don't bother to kickstart the renegotiation when the local is 1259 * asking for it. 1260 */ 1261 if (debug != null && Debug.isOn("ssl")) { 1262 System.out.println(Thread.currentThread().getName() + 1263 ", request renegotiation " + 1264 "to avoid sequence number overflow"); 1265 } 1266 1267 startHandshake(); 1268 } 1269 1270 return volume; 1271 } 1272 1273 1274 // 1275 // HANDSHAKE RELATED CODE 1276 // 1277 1278 /** 1279 * Return the AppInputStream. For use by Handshaker only. 1280 */ 1281 AppInputStream getAppInputStream() { 1282 return input; 1283 } 1284 1285 /** 1286 * Return the AppOutputStream. For use by Handshaker only. 1287 */ 1288 AppOutputStream getAppOutputStream() { 1289 return output; 1290 } 1291 1292 /** 1293 * Initialize the handshaker object. This means: 1294 * 1295 * . if a handshake is already in progress (state is cs_HANDSHAKE 1296 * or cs_RENEGOTIATE), do nothing and return 1297 * 1298 * . if the socket is already closed, throw an Exception (internal error) 1299 * 1300 * . otherwise (cs_START or cs_DATA), create the appropriate handshaker 1301 * object, and advance the connection state (to cs_HANDSHAKE or 1302 * cs_RENEGOTIATE, respectively). 1303 * 1304 * This method is called right after a new socket is created, when 1305 * starting renegotiation, or when changing client/ server mode of the 1306 * socket. 1307 */ 1308 private void initHandshaker() { 1309 switch (connectionState) { 1310 1311 // 1312 // Starting a new handshake. 1313 // 1314 case cs_START: 1315 case cs_DATA: 1316 break; 1317 1318 // 1319 // We're already in the middle of a handshake. 1320 // 1321 case cs_HANDSHAKE: 1322 case cs_RENEGOTIATE: 1323 return; 1324 1325 // 1326 // Anyone allowed to call this routine is required to 1327 // do so ONLY if the connection state is reasonable... 1328 // 1329 default: 1330 throw new IllegalStateException("Internal error"); 1331 } 1332 1333 // state is either cs_START or cs_DATA 1334 if (connectionState == cs_START) { 1335 connectionState = cs_HANDSHAKE; 1336 } else { // cs_DATA 1337 connectionState = cs_RENEGOTIATE; 1338 } 1339 1340 if (roleIsServer) { 1341 handshaker = new ServerHandshaker(this, sslContext, 1342 enabledProtocols, doClientAuth, 1343 protocolVersion, connectionState == cs_HANDSHAKE, 1344 secureRenegotiation, clientVerifyData, serverVerifyData); 1345 handshaker.setSNIMatchers(sniMatchers); 1346 handshaker.setUseCipherSuitesOrder(preferLocalCipherSuites); 1347 } else { 1348 handshaker = new ClientHandshaker(this, sslContext, 1349 enabledProtocols, 1350 protocolVersion, connectionState == cs_HANDSHAKE, 1351 secureRenegotiation, clientVerifyData, serverVerifyData); 1352 handshaker.setSNIServerNames(serverNames); 1353 } 1354 handshaker.setMaximumPacketSize(maximumPacketSize); 1355 handshaker.setEnabledCipherSuites(enabledCipherSuites); 1356 handshaker.setEnableSessionCreation(enableSessionCreation); 1357 handshaker.setApplicationProtocols(applicationProtocols); 1358 } 1359 1360 /** 1361 * Synchronously perform the initial handshake. 1362 * 1363 * If the handshake is already in progress, this method blocks until it 1364 * is completed. If the initial handshake has already been completed, 1365 * it returns immediately. 1366 */ 1367 private void performInitialHandshake() throws IOException { 1368 // use handshakeLock and the state check to make sure only 1369 // one thread performs the handshake 1370 synchronized (handshakeLock) { 1371 if (getConnectionState() == cs_HANDSHAKE) { 1372 kickstartHandshake(); 1373 1374 /* 1375 * All initial handshaking goes through this operation 1376 * until we have a valid SSL connection. 1377 * 1378 * Handle handshake messages only, need no application data. 1379 */ 1380 readRecord(false); 1381 } 1382 } 1383 } 1384 1385 /** 1386 * Starts an SSL handshake on this connection. 1387 */ 1388 @Override 1389 public void startHandshake() throws IOException { 1390 // start an ssl handshake that could be resumed from timeout exception 1391 startHandshake(true); 1392 } 1393 1394 /** 1395 * Starts an ssl handshake on this connection. 1396 * 1397 * @param resumable indicates the handshake process is resumable from a 1398 * certain exception. If <code>resumable</code>, the socket will 1399 * be reserved for exceptions like timeout; otherwise, the socket 1400 * will be closed, no further communications could be done. 1401 */ 1402 private void startHandshake(boolean resumable) throws IOException { 1403 checkWrite(); 1404 try { 1405 if (getConnectionState() == cs_HANDSHAKE) { 1406 // do initial handshake 1407 performInitialHandshake(); 1408 } else { 1409 // start renegotiation 1410 kickstartHandshake(); 1411 } 1412 } catch (Exception e) { 1413 // shutdown and rethrow (wrapped) exception as appropriate 1414 handleException(e, resumable); 1415 } 1416 } 1417 1418 /** 1419 * Kickstart the handshake if it is not already in progress. 1420 * This means: 1421 * 1422 * . if handshaking is already underway, do nothing and return 1423 * 1424 * . if the socket is not connected or already closed, throw an 1425 * Exception. 1426 * 1427 * . otherwise, call initHandshake() to initialize the handshaker 1428 * object and progress the state. Then, send the initial 1429 * handshaking message if appropriate (always on clients and 1430 * on servers when renegotiating). 1431 */ 1432 private synchronized void kickstartHandshake() throws IOException { 1433 1434 switch (connectionState) { 1435 1436 case cs_HANDSHAKE: 1437 // handshaker already setup, proceed 1438 break; 1439 1440 case cs_DATA: 1441 if (!secureRenegotiation && !Handshaker.allowUnsafeRenegotiation) { 1442 throw new SSLHandshakeException( 1443 "Insecure renegotiation is not allowed"); 1444 } 1445 1446 if (!secureRenegotiation) { 1447 if (debug != null && Debug.isOn("handshake")) { 1448 System.out.println( 1449 "Warning: Using insecure renegotiation"); 1450 } 1451 } 1452 1453 // initialize the handshaker, move to cs_RENEGOTIATE 1454 initHandshaker(); 1455 break; 1456 1457 case cs_RENEGOTIATE: 1458 // handshaking already in progress, return 1459 return; 1460 1461 /* 1462 * The only way to get a socket in the state is when 1463 * you have an unconnected socket. 1464 */ 1465 case cs_START: 1466 throw new SocketException( 1467 "handshaking attempted on unconnected socket"); 1468 1469 default: 1470 throw new SocketException("connection is closed"); 1471 } 1472 1473 // 1474 // Kickstart handshake state machine if we need to ... 1475 // 1476 // Note that handshaker.kickstart() writes the message 1477 // to its HandshakeOutStream, which calls back into 1478 // SSLSocketImpl.writeRecord() to send it. 1479 // 1480 if (!handshaker.activated()) { 1481 // prior to handshaking, activate the handshake 1482 if (connectionState == cs_RENEGOTIATE) { 1483 // don't use SSLv2Hello when renegotiating 1484 handshaker.activate(protocolVersion); 1485 } else { 1486 handshaker.activate(null); 1487 } 1488 1489 if (handshaker instanceof ClientHandshaker) { 1490 // send client hello 1491 handshaker.kickstart(); 1492 } else { 1493 if (connectionState == cs_HANDSHAKE) { 1494 // initial handshake, no kickstart message to send 1495 } else { 1496 // we want to renegotiate, send hello request 1497 handshaker.kickstart(); 1498 } 1499 } 1500 } 1501 } 1502 1503 // 1504 // CLOSURE RELATED CALLS 1505 // 1506 1507 /** 1508 * Return whether the socket has been explicitly closed by the application. 1509 */ 1510 @Override 1511 public boolean isClosed() { 1512 return connectionState == cs_APP_CLOSED; 1513 } 1514 1515 /** 1516 * Return whether we have reached end-of-file. 1517 * 1518 * If the socket is not connected, has been shutdown because of an error 1519 * or has been closed, throw an Exception. 1520 */ 1521 boolean checkEOF() throws IOException { 1522 switch (getConnectionState()) { 1523 case cs_START: 1524 throw new SocketException("Socket is not connected"); 1525 1526 case cs_HANDSHAKE: 1527 case cs_DATA: 1528 case cs_RENEGOTIATE: 1529 case cs_SENT_CLOSE: 1530 return false; 1531 1532 case cs_APP_CLOSED: 1533 throw new SocketException("Socket is closed"); 1534 1535 case cs_ERROR: 1536 case cs_CLOSED: 1537 default: 1538 // either closed because of error, or normal EOF 1539 if (closeReason == null) { 1540 return true; 1541 } 1542 IOException e = new SSLException 1543 ("Connection has been shutdown: " + closeReason); 1544 e.initCause(closeReason); 1545 throw e; 1546 1547 } 1548 } 1549 1550 /** 1551 * Check if we can write data to this socket. If not, throw an IOException. 1552 */ 1553 void checkWrite() throws IOException { 1554 if (checkEOF() || (getConnectionState() == cs_SENT_CLOSE)) { 1555 // we are at EOF, write must throw Exception 1556 throw new SocketException("Connection closed by remote host"); 1557 } 1558 } 1559 1560 private void closeSocket() throws IOException { 1561 1562 if ((debug != null) && Debug.isOn("ssl")) { 1563 System.out.println(Thread.currentThread().getName() + 1564 ", called closeSocket()"); 1565 } 1566 1567 super.close(); 1568 } 1569 1570 private void closeSocket(boolean selfInitiated) throws IOException { 1571 if ((debug != null) && Debug.isOn("ssl")) { 1572 System.out.println(Thread.currentThread().getName() + 1573 ", called closeSocket(" + selfInitiated + ")"); 1574 } 1575 if (!isLayered() || autoClose) { 1576 super.close(); 1577 } else if (selfInitiated) { 1578 // layered && non-autoclose 1579 // read close_notify alert to clear input stream 1580 waitForClose(false); 1581 } 1582 } 1583 1584 /* 1585 * Closing the connection is tricky ... we can't officially close the 1586 * connection until we know the other end is ready to go away too, 1587 * and if ever the connection gets aborted we must forget session 1588 * state (it becomes invalid). 1589 */ 1590 1591 /** 1592 * Closes the SSL connection. SSL includes an application level 1593 * shutdown handshake; you should close SSL sockets explicitly 1594 * rather than leaving it for finalization, so that your remote 1595 * peer does not experience a protocol error. 1596 */ 1597 @Override 1598 public void close() throws IOException { 1599 if ((debug != null) && Debug.isOn("ssl")) { 1600 System.out.println(Thread.currentThread().getName() + 1601 ", called close()"); 1602 } 1603 closeInternal(true); // caller is initiating close 1604 1605 // Clearup the resources. 1606 try { 1607 synchronized (readLock) { 1608 inputRecord.close(); 1609 } 1610 1611 writeLock.lock(); 1612 try { 1613 outputRecord.close(); 1614 } finally { 1615 writeLock.unlock(); 1616 } 1617 } catch (IOException ioe) { 1618 // ignore 1619 } 1620 1621 setConnectionState(cs_APP_CLOSED); 1622 } 1623 1624 /** 1625 * Don't synchronize the whole method because waitForClose() 1626 * (which calls readRecord()) might be called. 1627 * 1628 * @param selfInitiated Indicates which party initiated the close. 1629 * If selfInitiated, this side is initiating a close; for layered and 1630 * non-autoclose socket, wait for close_notify response. 1631 * If !selfInitiated, peer sent close_notify; we reciprocate but 1632 * no need to wait for response. 1633 */ 1634 private void closeInternal(boolean selfInitiated) throws IOException { 1635 if ((debug != null) && Debug.isOn("ssl")) { 1636 System.out.println(Thread.currentThread().getName() + 1637 ", called closeInternal(" + selfInitiated + ")"); 1638 } 1639 1640 int state = getConnectionState(); 1641 boolean closeSocketCalled = false; 1642 Throwable cachedThrowable = null; 1643 try { 1644 switch (state) { 1645 case cs_START: 1646 // unconnected socket or handshaking has not been initialized 1647 closeSocket(selfInitiated); 1648 break; 1649 1650 /* 1651 * If we're closing down due to error, we already sent (or else 1652 * received) the fatal alert ... no niceties, blow the connection 1653 * away as quickly as possible (even if we didn't allocate the 1654 * socket ourselves; it's unusable, regardless). 1655 */ 1656 case cs_ERROR: 1657 closeSocket(); 1658 break; 1659 1660 /* 1661 * Sometimes close() gets called more than once. 1662 */ 1663 case cs_CLOSED: 1664 case cs_APP_CLOSED: 1665 break; 1666 1667 /* 1668 * Otherwise we indicate clean termination. 1669 */ 1670 // case cs_HANDSHAKE: 1671 // case cs_DATA: 1672 // case cs_RENEGOTIATE: 1673 // case cs_SENT_CLOSE: 1674 default: 1675 synchronized (this) { 1676 if (((state = getConnectionState()) == cs_CLOSED) || 1677 (state == cs_ERROR) || (state == cs_APP_CLOSED)) { 1678 return; // connection was closed while we waited 1679 } 1680 if (state != cs_SENT_CLOSE) { 1681 try { 1682 warning(Alerts.alert_close_notify); 1683 connectionState = cs_SENT_CLOSE; 1684 } catch (Throwable th) { 1685 // we need to ensure socket is closed out 1686 // if we encounter any errors. 1687 connectionState = cs_ERROR; 1688 // cache this for later use 1689 cachedThrowable = th; 1690 closeSocketCalled = true; 1691 closeSocket(selfInitiated); 1692 } 1693 } 1694 } 1695 // If state was cs_SENT_CLOSE before, we don't do the actual 1696 // closing since it is already in progress. 1697 if (state == cs_SENT_CLOSE) { 1698 if (debug != null && Debug.isOn("ssl")) { 1699 System.out.println(Thread.currentThread().getName() + 1700 ", close invoked again; state = " + 1701 getConnectionState()); 1702 } 1703 if (selfInitiated == false) { 1704 // We were called because a close_notify message was 1705 // received. This may be due to another thread calling 1706 // read() or due to our call to waitForClose() below. 1707 // In either case, just return. 1708 return; 1709 } 1710 // Another thread explicitly called close(). We need to 1711 // wait for the closing to complete before returning. 1712 synchronized (this) { 1713 while (connectionState < cs_CLOSED) { 1714 try { 1715 this.wait(); 1716 } catch (InterruptedException e) { 1717 // ignore 1718 } 1719 } 1720 } 1721 if ((debug != null) && Debug.isOn("ssl")) { 1722 System.out.println(Thread.currentThread().getName() + 1723 ", after primary close; state = " + 1724 getConnectionState()); 1725 } 1726 return; 1727 } 1728 1729 if (!closeSocketCalled) { 1730 closeSocketCalled = true; 1731 closeSocket(selfInitiated); 1732 } 1733 1734 break; 1735 } 1736 } finally { 1737 synchronized (this) { 1738 // Upon exit from this method, the state is always >= cs_CLOSED 1739 connectionState = (connectionState == cs_APP_CLOSED) 1740 ? cs_APP_CLOSED : cs_CLOSED; 1741 // notify any threads waiting for the closing to finish 1742 this.notifyAll(); 1743 } 1744 1745 if (cachedThrowable != null) { 1746 /* 1747 * Rethrow the error to the calling method 1748 * The Throwable caught can only be an Error or RuntimeException 1749 */ 1750 if (cachedThrowable instanceof Error) { 1751 throw (Error)cachedThrowable; 1752 } else if (cachedThrowable instanceof RuntimeException) { 1753 throw (RuntimeException)cachedThrowable; 1754 } // Otherwise, unlikely 1755 } 1756 } 1757 } 1758 1759 /** 1760 * Reads a close_notify or a fatal alert from the input stream. 1761 * Keep reading records until we get a close_notify or until 1762 * the connection is otherwise closed. The close_notify or alert 1763 * might be read by another reader, 1764 * which will then process the close and set the connection state. 1765 */ 1766 void waitForClose(boolean rethrow) throws IOException { 1767 if (debug != null && Debug.isOn("ssl")) { 1768 System.out.println(Thread.currentThread().getName() + 1769 ", waiting for close_notify or alert: state " 1770 + getConnectionState()); 1771 } 1772 1773 try { 1774 int state; 1775 1776 while (((state = getConnectionState()) != cs_CLOSED) && 1777 (state != cs_ERROR) && (state != cs_APP_CLOSED)) { 1778 1779 // Ask for app data and then throw it away 1780 try { 1781 readRecord(true); 1782 } catch (SocketTimeoutException e) { 1783 // if time out, ignore the exception and continue 1784 } 1785 } 1786 } catch (IOException e) { 1787 if (debug != null && Debug.isOn("ssl")) { 1788 System.out.println(Thread.currentThread().getName() + 1789 ", Exception while waiting for close " +e); 1790 } 1791 if (rethrow) { 1792 throw e; // pass exception up 1793 } 1794 } 1795 } 1796 1797 // 1798 // EXCEPTION AND ALERT HANDLING 1799 // 1800 1801 /** 1802 * Handle an exception. This method is called by top level exception 1803 * handlers (in read(), write()) to make sure we always shutdown the 1804 * connection correctly and do not pass runtime exception to the 1805 * application. 1806 */ 1807 void handleException(Exception e) throws IOException { 1808 handleException(e, true); 1809 } 1810 1811 /** 1812 * Handle an exception. This method is called by top level exception 1813 * handlers (in read(), write(), startHandshake()) to make sure we 1814 * always shutdown the connection correctly and do not pass runtime 1815 * exception to the application. 1816 * 1817 * This method never returns normally, it always throws an IOException. 1818 * 1819 * We first check if the socket has already been shutdown because of an 1820 * error. If so, we just rethrow the exception. If the socket has not 1821 * been shutdown, we sent a fatal alert and remember the exception. 1822 * 1823 * @param e the Exception 1824 * @param resumable indicates the caller process is resumable from the 1825 * exception. If <code>resumable</code>, the socket will be 1826 * reserved for exceptions like timeout; otherwise, the socket 1827 * will be closed, no further communications could be done. 1828 */ 1829 private synchronized void handleException(Exception e, boolean resumable) 1830 throws IOException { 1831 if ((debug != null) && Debug.isOn("ssl")) { 1832 System.out.println(Thread.currentThread().getName() + 1833 ", handling exception: " + e.toString()); 1834 } 1835 1836 // don't close the Socket in case of timeouts or interrupts if 1837 // the process is resumable. 1838 if (e instanceof InterruptedIOException && resumable) { 1839 throw (IOException)e; 1840 } 1841 1842 // if we've already shutdown because of an error, 1843 // there is nothing to do except rethrow the exception 1844 if (closeReason != null) { 1845 if (e instanceof IOException) { // includes SSLException 1846 throw (IOException)e; 1847 } else { 1848 // this is odd, not an IOException. 1849 // normally, this should not happen 1850 // if closeReason has been already been set 1851 throw Alerts.getSSLException(Alerts.alert_internal_error, e, 1852 "Unexpected exception"); 1853 } 1854 } 1855 1856 // need to perform error shutdown 1857 boolean isSSLException = (e instanceof SSLException); 1858 if ((!isSSLException) && (e instanceof IOException)) { 1859 // IOException from the socket 1860 // this means the TCP connection is already dead 1861 // we call fatal just to set the error status 1862 try { 1863 fatal(Alerts.alert_unexpected_message, e); 1864 } catch (IOException ee) { 1865 // ignore (IOException wrapped in SSLException) 1866 } 1867 // rethrow original IOException 1868 throw (IOException)e; 1869 } 1870 1871 // must be SSLException or RuntimeException 1872 byte alertType; 1873 if (isSSLException) { 1874 if (e instanceof SSLHandshakeException) { 1875 alertType = Alerts.alert_handshake_failure; 1876 } else { 1877 alertType = Alerts.alert_unexpected_message; 1878 } 1879 } else { 1880 alertType = Alerts.alert_internal_error; 1881 } 1882 fatal(alertType, e); 1883 } 1884 1885 /* 1886 * Send a warning alert. 1887 */ 1888 void warning(byte description) { 1889 sendAlert(Alerts.alert_warning, description); 1890 } 1891 1892 synchronized void fatal(byte description, String diagnostic) 1893 throws IOException { 1894 fatal(description, diagnostic, null); 1895 } 1896 1897 synchronized void fatal(byte description, Throwable cause) 1898 throws IOException { 1899 fatal(description, null, cause); 1900 } 1901 1902 /* 1903 * Send a fatal alert, and throw an exception so that callers will 1904 * need to stand on their heads to accidentally continue processing. 1905 */ 1906 synchronized void fatal(byte description, String diagnostic, 1907 Throwable cause) throws IOException { 1908 1909 // Be care of deadlock. Please don't synchronize readLock. 1910 try { 1911 inputRecord.close(); 1912 } catch (IOException ioe) { 1913 // ignore 1914 } 1915 1916 sess.invalidate(); 1917 if (handshakeSession != null) { 1918 handshakeSession.invalidate(); 1919 } 1920 1921 int oldState = connectionState; 1922 if (connectionState < cs_ERROR) { 1923 connectionState = cs_ERROR; 1924 } 1925 1926 /* 1927 * Has there been an error received yet? If not, remember it. 1928 * By RFC 2246, we don't bother waiting for a response. 1929 * Fatal errors require immediate shutdown. 1930 */ 1931 if (closeReason == null) { 1932 /* 1933 * Try to clear the kernel buffer to avoid TCP connection resets. 1934 */ 1935 if (oldState == cs_HANDSHAKE) { 1936 sockInput.skip(sockInput.available()); 1937 } 1938 1939 // If the description equals -1, the alert won't be sent to peer. 1940 if (description != -1) { 1941 sendAlert(Alerts.alert_fatal, description); 1942 } 1943 if (cause instanceof SSLException) { // only true if != null 1944 closeReason = (SSLException)cause; 1945 } else { 1946 closeReason = 1947 Alerts.getSSLException(description, cause, diagnostic); 1948 } 1949 } 1950 1951 /* 1952 * Clean up our side. 1953 */ 1954 closeSocket(); 1955 1956 // Be care of deadlock. Please don't synchronize writeLock. 1957 try { 1958 outputRecord.close(); 1959 } catch (IOException ioe) { 1960 // ignore 1961 } 1962 1963 throw closeReason; 1964 } 1965 1966 1967 /* 1968 * Process an incoming alert ... caller must already have synchronized 1969 * access to "this". 1970 */ 1971 private void recvAlert(ByteBuffer fragment) throws IOException { 1972 byte level = fragment.get(); 1973 byte description = fragment.get(); 1974 1975 if (description == -1) { // check for short message 1976 fatal(Alerts.alert_illegal_parameter, "Short alert message"); 1977 } 1978 1979 if (debug != null && (Debug.isOn("record") || 1980 Debug.isOn("handshake"))) { 1981 synchronized (System.out) { 1982 System.out.print(Thread.currentThread().getName()); 1983 System.out.print(", RECV " + protocolVersion + " ALERT: "); 1984 if (level == Alerts.alert_fatal) { 1985 System.out.print("fatal, "); 1986 } else if (level == Alerts.alert_warning) { 1987 System.out.print("warning, "); 1988 } else { 1989 System.out.print("<level " + (0x0ff & level) + ">, "); 1990 } 1991 System.out.println(Alerts.alertDescription(description)); 1992 } 1993 } 1994 1995 if (level == Alerts.alert_warning) { 1996 if (description == Alerts.alert_close_notify) { 1997 if (connectionState == cs_HANDSHAKE) { 1998 fatal(Alerts.alert_unexpected_message, 1999 "Received close_notify during handshake"); 2000 } else { 2001 closeInternal(false); // reply to close 2002 } 2003 } else { 2004 2005 // 2006 // The other legal warnings relate to certificates, 2007 // e.g. no_certificate, bad_certificate, etc; these 2008 // are important to the handshaking code, which can 2009 // also handle illegal protocol alerts if needed. 2010 // 2011 if (handshaker != null) { 2012 handshaker.handshakeAlert(description); 2013 } 2014 } 2015 } else { // fatal or unknown level 2016 String reason = "Received fatal alert: " 2017 + Alerts.alertDescription(description); 2018 if (closeReason == null) { 2019 closeReason = Alerts.getSSLException(description, reason); 2020 } 2021 fatal(Alerts.alert_unexpected_message, reason); 2022 } 2023 } 2024 2025 2026 /* 2027 * Emit alerts. Caller must have synchronized with "this". 2028 */ 2029 private void sendAlert(byte level, byte description) { 2030 // the connectionState cannot be cs_START 2031 if (connectionState >= cs_SENT_CLOSE) { 2032 return; 2033 } 2034 2035 // For initial handshaking, don't send alert message to peer if 2036 // handshaker has not started. 2037 // 2038 // Shall we send an fatal alter to terminate the connection gracefully? 2039 if (connectionState <= cs_HANDSHAKE && 2040 (handshaker == null || !handshaker.started() || 2041 !handshaker.activated())) { 2042 return; 2043 } 2044 2045 boolean useDebug = debug != null && Debug.isOn("ssl"); 2046 if (useDebug) { 2047 synchronized (System.out) { 2048 System.out.print(Thread.currentThread().getName()); 2049 System.out.print(", SEND " + protocolVersion + " ALERT: "); 2050 if (level == Alerts.alert_fatal) { 2051 System.out.print("fatal, "); 2052 } else if (level == Alerts.alert_warning) { 2053 System.out.print("warning, "); 2054 } else { 2055 System.out.print("<level = " + (0x0ff & level) + ">, "); 2056 } 2057 System.out.println("description = " 2058 + Alerts.alertDescription(description)); 2059 } 2060 } 2061 2062 try { 2063 writeAlert(level, description); 2064 } catch (IOException e) { 2065 if (useDebug) { 2066 System.out.println(Thread.currentThread().getName() + 2067 ", Exception sending alert: " + e); 2068 } 2069 } 2070 } 2071 2072 // 2073 // VARIOUS OTHER METHODS 2074 // 2075 2076 // used by Handshaker 2077 void changeWriteCiphers() throws IOException { 2078 Authenticator writeAuthenticator; 2079 CipherBox writeCipher; 2080 try { 2081 writeCipher = handshaker.newWriteCipher(); 2082 writeAuthenticator = handshaker.newWriteAuthenticator(); 2083 } catch (GeneralSecurityException e) { 2084 // "can't happen" 2085 throw new SSLException("Algorithm missing: ", e); 2086 } 2087 outputRecord.changeWriteCiphers(writeAuthenticator, writeCipher); 2088 } 2089 2090 /* 2091 * Updates the SSL version associated with this connection. 2092 * Called from Handshaker once it has determined the negotiated version. 2093 */ 2094 synchronized void setVersion(ProtocolVersion protocolVersion) { 2095 this.protocolVersion = protocolVersion; 2096 outputRecord.setVersion(protocolVersion); 2097 } 2098 2099 // 2100 // ONLY used by ClientHandshaker for the server hostname during handshaling 2101 // 2102 synchronized String getHost() { 2103 // Note that the host may be null or empty for localhost. 2104 if (host == null || host.length() == 0) { 2105 useImplicitHost(true); 2106 } 2107 2108 return host; 2109 } 2110 2111 /* 2112 * Try to set and use the implicit specified hostname 2113 */ 2114 synchronized private void useImplicitHost(boolean noSniUpdate) { 2115 if ((host != null) && (host.length() != 0)) { 2116 return; 2117 } 2118 2119 // Note: If the local name service is not trustworthy, reverse 2120 // host name resolution should not be performed for endpoint 2121 // identification. Use the application original specified 2122 // hostname or IP address instead. 2123 2124 // Get the original hostname via jdk.internal.misc.SharedSecrets 2125 InetAddress inetAddress = getInetAddress(); 2126 if (inetAddress == null) { // not connected 2127 return; 2128 } 2129 2130 JavaNetInetAddressAccess jna = 2131 SharedSecrets.getJavaNetInetAddressAccess(); 2132 String originalHostname = jna.getOriginalHostName(inetAddress); 2133 if ((originalHostname != null) && 2134 (originalHostname.length() != 0)) { 2135 2136 host = originalHostname; 2137 if (!noSniUpdate && serverNames.isEmpty() && !noSniExtension) { 2138 serverNames = 2139 Utilities.addToSNIServerNameList(serverNames, host); 2140 2141 if (!roleIsServer && 2142 (handshaker != null) && !handshaker.started()) { 2143 handshaker.setSNIServerNames(serverNames); 2144 } 2145 } 2146 2147 return; 2148 } 2149 2150 // No explicitly specified hostname, no sserver name indication. 2151 if (!trustNameService) { 2152 // The local name service is not trustworthy, use IP address. 2153 host = inetAddress.getHostAddress(); 2154 } else { 2155 // Use the underlying reverse host name resolution service. 2156 host = getInetAddress().getHostName(); 2157 } 2158 } 2159 2160 // ONLY used by HttpsClient to setup the URI specified hostname 2161 // 2162 // Please NOTE that this method MUST be called before calling to 2163 // SSLSocket.setSSLParameters(). Otherwise, the {@code host} parameter 2164 // may override SNIHostName in the customized server name indication. 2165 public synchronized void setHost(String host) { 2166 this.host = host; 2167 this.serverNames = 2168 Utilities.addToSNIServerNameList(this.serverNames, this.host); 2169 2170 if (!roleIsServer && (handshaker != null) && !handshaker.started()) { 2171 handshaker.setSNIServerNames(serverNames); 2172 } 2173 } 2174 2175 /** 2176 * Gets an input stream to read from the peer on the other side. 2177 * Data read from this stream was always integrity protected in 2178 * transit, and will usually have been confidentiality protected. 2179 */ 2180 @Override 2181 public synchronized InputStream getInputStream() throws IOException { 2182 if (isClosed()) { 2183 throw new SocketException("Socket is closed"); 2184 } 2185 2186 /* 2187 * Can't call isConnected() here, because the Handshakers 2188 * do some initialization before we actually connect. 2189 */ 2190 if (connectionState == cs_START) { 2191 throw new SocketException("Socket is not connected"); 2192 } 2193 2194 return input; 2195 } 2196 2197 /** 2198 * Gets an output stream to write to the peer on the other side. 2199 * Data written on this stream is always integrity protected, and 2200 * will usually be confidentiality protected. 2201 */ 2202 @Override 2203 public synchronized OutputStream getOutputStream() throws IOException { 2204 if (isClosed()) { 2205 throw new SocketException("Socket is closed"); 2206 } 2207 2208 /* 2209 * Can't call isConnected() here, because the Handshakers 2210 * do some initialization before we actually connect. 2211 */ 2212 if (connectionState == cs_START) { 2213 throw new SocketException("Socket is not connected"); 2214 } 2215 2216 return output; 2217 } 2218 2219 /** 2220 * Returns the SSL Session in use by this connection. These can 2221 * be long lived, and frequently correspond to an entire login session 2222 * for some user. 2223 */ 2224 @Override 2225 public SSLSession getSession() { 2226 /* 2227 * Force a synchronous handshake, if appropriate. 2228 */ 2229 if (getConnectionState() == cs_HANDSHAKE) { 2230 try { 2231 // start handshaking, if failed, the connection will be closed. 2232 startHandshake(false); 2233 } catch (IOException e) { 2234 // handshake failed. log and return a nullSession 2235 if (debug != null && Debug.isOn("handshake")) { 2236 System.out.println(Thread.currentThread().getName() + 2237 ", IOException in getSession(): " + e); 2238 } 2239 } 2240 } 2241 synchronized (this) { 2242 return sess; 2243 } 2244 } 2245 2246 @Override 2247 public synchronized SSLSession getHandshakeSession() { 2248 return handshakeSession; 2249 } 2250 2251 synchronized void setHandshakeSession(SSLSessionImpl session) { 2252 // update the fragment size, which may be negotiated during handshaking 2253 inputRecord.changeFragmentSize(session.getNegotiatedMaxFragSize()); 2254 outputRecord.changeFragmentSize(session.getNegotiatedMaxFragSize()); 2255 2256 handshakeSession = session; 2257 } 2258 2259 /** 2260 * Controls whether new connections may cause creation of new SSL 2261 * sessions. 2262 * 2263 * As long as handshaking has not started, we can change 2264 * whether we enable session creations. Otherwise, 2265 * we will need to wait for the next handshake. 2266 */ 2267 @Override 2268 public synchronized void setEnableSessionCreation(boolean flag) { 2269 enableSessionCreation = flag; 2270 2271 if ((handshaker != null) && !handshaker.activated()) { 2272 handshaker.setEnableSessionCreation(enableSessionCreation); 2273 } 2274 } 2275 2276 /** 2277 * Returns true if new connections may cause creation of new SSL 2278 * sessions. 2279 */ 2280 @Override 2281 public synchronized boolean getEnableSessionCreation() { 2282 return enableSessionCreation; 2283 } 2284 2285 2286 /** 2287 * Sets the flag controlling whether a server mode socket 2288 * *REQUIRES* SSL client authentication. 2289 * 2290 * As long as handshaking has not started, we can change 2291 * whether client authentication is needed. Otherwise, 2292 * we will need to wait for the next handshake. 2293 */ 2294 @Override 2295 public synchronized void setNeedClientAuth(boolean flag) { 2296 doClientAuth = (flag ? ClientAuthType.CLIENT_AUTH_REQUIRED : 2297 ClientAuthType.CLIENT_AUTH_NONE); 2298 2299 if ((handshaker != null) && 2300 (handshaker instanceof ServerHandshaker) && 2301 !handshaker.activated()) { 2302 ((ServerHandshaker) handshaker).setClientAuth(doClientAuth); 2303 } 2304 } 2305 2306 @Override 2307 public synchronized boolean getNeedClientAuth() { 2308 return (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED); 2309 } 2310 2311 /** 2312 * Sets the flag controlling whether a server mode socket 2313 * *REQUESTS* SSL client authentication. 2314 * 2315 * As long as handshaking has not started, we can change 2316 * whether client authentication is requested. Otherwise, 2317 * we will need to wait for the next handshake. 2318 */ 2319 @Override 2320 public synchronized void setWantClientAuth(boolean flag) { 2321 doClientAuth = (flag ? ClientAuthType.CLIENT_AUTH_REQUESTED : 2322 ClientAuthType.CLIENT_AUTH_NONE); 2323 2324 if ((handshaker != null) && 2325 (handshaker instanceof ServerHandshaker) && 2326 !handshaker.activated()) { 2327 ((ServerHandshaker) handshaker).setClientAuth(doClientAuth); 2328 } 2329 } 2330 2331 @Override 2332 public synchronized boolean getWantClientAuth() { 2333 return (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUESTED); 2334 } 2335 2336 2337 /** 2338 * Sets the flag controlling whether the socket is in SSL 2339 * client or server mode. Must be called before any SSL 2340 * traffic has started. 2341 */ 2342 @Override 2343 @SuppressWarnings("fallthrough") 2344 public synchronized void setUseClientMode(boolean flag) { 2345 switch (connectionState) { 2346 2347 case cs_START: 2348 /* 2349 * If we need to change the socket mode and the enabled 2350 * protocols and cipher suites haven't specifically been 2351 * set by the user, change them to the corresponding 2352 * default ones. 2353 */ 2354 if (roleIsServer != (!flag)) { 2355 if (sslContext.isDefaultProtocolList(enabledProtocols)) { 2356 enabledProtocols = 2357 sslContext.getDefaultProtocolList(!flag); 2358 } 2359 2360 if (sslContext.isDefaultCipherSuiteList(enabledCipherSuites)) { 2361 enabledCipherSuites = 2362 sslContext.getDefaultCipherSuiteList(!flag); 2363 } 2364 } 2365 2366 roleIsServer = !flag; 2367 break; 2368 2369 case cs_HANDSHAKE: 2370 /* 2371 * If we have a handshaker, but haven't started 2372 * SSL traffic, we can throw away our current 2373 * handshaker, and start from scratch. Don't 2374 * need to call doneConnect() again, we already 2375 * have the streams. 2376 */ 2377 assert(handshaker != null); 2378 if (!handshaker.activated()) { 2379 /* 2380 * If we need to change the socket mode and the enabled 2381 * protocols and cipher suites haven't specifically been 2382 * set by the user, change them to the corresponding 2383 * default ones. 2384 */ 2385 if (roleIsServer != (!flag)) { 2386 if (sslContext.isDefaultProtocolList(enabledProtocols)) { 2387 enabledProtocols = 2388 sslContext.getDefaultProtocolList(!flag); 2389 } 2390 2391 if (sslContext.isDefaultCipherSuiteList( 2392 enabledCipherSuites)) { 2393 enabledCipherSuites = 2394 sslContext.getDefaultCipherSuiteList(!flag); 2395 } 2396 } 2397 2398 roleIsServer = !flag; 2399 connectionState = cs_START; 2400 initHandshaker(); 2401 break; 2402 } 2403 2404 // If handshake has started, that's an error. Fall through... 2405 2406 default: 2407 if (debug != null && Debug.isOn("ssl")) { 2408 System.out.println(Thread.currentThread().getName() + 2409 ", setUseClientMode() invoked in state = " + 2410 connectionState); 2411 } 2412 throw new IllegalArgumentException( 2413 "Cannot change mode after SSL traffic has started"); 2414 } 2415 } 2416 2417 @Override 2418 public synchronized boolean getUseClientMode() { 2419 return !roleIsServer; 2420 } 2421 2422 2423 /** 2424 * Returns the names of the cipher suites which could be enabled for use 2425 * on an SSL connection. Normally, only a subset of these will actually 2426 * be enabled by default, since this list may include cipher suites which 2427 * do not support the mutual authentication of servers and clients, or 2428 * which do not protect data confidentiality. Servers may also need 2429 * certain kinds of certificates to use certain cipher suites. 2430 * 2431 * @return an array of cipher suite names 2432 */ 2433 @Override 2434 public String[] getSupportedCipherSuites() { 2435 return sslContext.getSupportedCipherSuiteList().toStringArray(); 2436 } 2437 2438 /** 2439 * Controls which particular cipher suites are enabled for use on 2440 * this connection. The cipher suites must have been listed by 2441 * getCipherSuites() as being supported. Even if a suite has been 2442 * enabled, it might never be used if no peer supports it or the 2443 * requisite certificates (and private keys) are not available. 2444 * 2445 * @param suites Names of all the cipher suites to enable. 2446 */ 2447 @Override 2448 public synchronized void setEnabledCipherSuites(String[] suites) { 2449 enabledCipherSuites = new CipherSuiteList(suites); 2450 if ((handshaker != null) && !handshaker.activated()) { 2451 handshaker.setEnabledCipherSuites(enabledCipherSuites); 2452 } 2453 } 2454 2455 /** 2456 * Returns the names of the SSL cipher suites which are currently enabled 2457 * for use on this connection. When an SSL socket is first created, 2458 * all enabled cipher suites <em>(a)</em> protect data confidentiality, 2459 * by traffic encryption, and <em>(b)</em> can mutually authenticate 2460 * both clients and servers. Thus, in some environments, this value 2461 * might be empty. 2462 * 2463 * @return an array of cipher suite names 2464 */ 2465 @Override 2466 public synchronized String[] getEnabledCipherSuites() { 2467 return enabledCipherSuites.toStringArray(); 2468 } 2469 2470 2471 /** 2472 * Returns the protocols that are supported by this implementation. 2473 * A subset of the supported protocols may be enabled for this connection 2474 * @return an array of protocol names. 2475 */ 2476 @Override 2477 public String[] getSupportedProtocols() { 2478 return sslContext.getSuportedProtocolList().toStringArray(); 2479 } 2480 2481 /** 2482 * Controls which protocols are enabled for use on 2483 * this connection. The protocols must have been listed by 2484 * getSupportedProtocols() as being supported. 2485 * 2486 * @param protocols protocols to enable. 2487 * @exception IllegalArgumentException when one of the protocols 2488 * named by the parameter is not supported. 2489 */ 2490 @Override 2491 public synchronized void setEnabledProtocols(String[] protocols) { 2492 enabledProtocols = new ProtocolList(protocols); 2493 if ((handshaker != null) && !handshaker.activated()) { 2494 handshaker.setEnabledProtocols(enabledProtocols); 2495 } 2496 } 2497 2498 @Override 2499 public synchronized String[] getEnabledProtocols() { 2500 return enabledProtocols.toStringArray(); 2501 } 2502 2503 /** 2504 * Assigns the socket timeout. 2505 * @see java.net.Socket#setSoTimeout 2506 */ 2507 @Override 2508 public void setSoTimeout(int timeout) throws SocketException { 2509 if ((debug != null) && Debug.isOn("ssl")) { 2510 System.out.println(Thread.currentThread().getName() + 2511 ", setSoTimeout(" + timeout + ") called"); 2512 } 2513 2514 super.setSoTimeout(timeout); 2515 } 2516 2517 /** 2518 * Registers an event listener to receive notifications that an 2519 * SSL handshake has completed on this connection. 2520 */ 2521 @Override 2522 public synchronized void addHandshakeCompletedListener( 2523 HandshakeCompletedListener listener) { 2524 if (listener == null) { 2525 throw new IllegalArgumentException("listener is null"); 2526 } 2527 if (handshakeListeners == null) { 2528 handshakeListeners = new 2529 HashMap<HandshakeCompletedListener, AccessControlContext>(4); 2530 } 2531 handshakeListeners.put(listener, AccessController.getContext()); 2532 } 2533 2534 2535 /** 2536 * Removes a previously registered handshake completion listener. 2537 */ 2538 @Override 2539 public synchronized void removeHandshakeCompletedListener( 2540 HandshakeCompletedListener listener) { 2541 if (handshakeListeners == null) { 2542 throw new IllegalArgumentException("no listeners"); 2543 } 2544 if (handshakeListeners.remove(listener) == null) { 2545 throw new IllegalArgumentException("listener not registered"); 2546 } 2547 if (handshakeListeners.isEmpty()) { 2548 handshakeListeners = null; 2549 } 2550 } 2551 2552 /** 2553 * Returns the SSLParameters in effect for this SSLSocket. 2554 */ 2555 @Override 2556 public synchronized SSLParameters getSSLParameters() { 2557 SSLParameters params = super.getSSLParameters(); 2558 2559 // the super implementation does not handle the following parameters 2560 params.setEndpointIdentificationAlgorithm(identificationProtocol); 2561 params.setAlgorithmConstraints(algorithmConstraints); 2562 2563 if (sniMatchers.isEmpty() && !noSniMatcher) { 2564 // 'null' indicates none has been set 2565 params.setSNIMatchers(null); 2566 } else { 2567 params.setSNIMatchers(sniMatchers); 2568 } 2569 2570 if (serverNames.isEmpty() && !noSniExtension) { 2571 // 'null' indicates none has been set 2572 params.setServerNames(null); 2573 } else { 2574 params.setServerNames(serverNames); 2575 } 2576 2577 params.setUseCipherSuitesOrder(preferLocalCipherSuites); 2578 params.setMaximumPacketSize(maximumPacketSize); 2579 params.setApplicationProtocols(applicationProtocols); 2580 2581 // DTLS handshake retransmissions parameter does not apply here. 2582 2583 return params; 2584 } 2585 2586 /** 2587 * Applies SSLParameters to this socket. 2588 */ 2589 @Override 2590 public synchronized void setSSLParameters(SSLParameters params) { 2591 super.setSSLParameters(params); 2592 2593 // the super implementation does not handle the following parameters 2594 identificationProtocol = params.getEndpointIdentificationAlgorithm(); 2595 algorithmConstraints = params.getAlgorithmConstraints(); 2596 preferLocalCipherSuites = params.getUseCipherSuitesOrder(); 2597 maximumPacketSize = params.getMaximumPacketSize(); 2598 2599 // DTLS handshake retransmissions parameter does not apply here. 2600 2601 if (maximumPacketSize != 0) { 2602 outputRecord.changePacketSize(maximumPacketSize); 2603 } else { 2604 // use the implicit maximum packet size. 2605 maximumPacketSize = outputRecord.getMaxPacketSize(); 2606 } 2607 2608 List<SNIServerName> sniNames = params.getServerNames(); 2609 if (sniNames != null) { 2610 if (sniNames.isEmpty()) { 2611 // need no SNI extension 2612 noSniExtension = true; 2613 } // Otherwise, need not to set noSniExtension 2614 2615 serverNames = sniNames; 2616 } 2617 2618 Collection<SNIMatcher> matchers = params.getSNIMatchers(); 2619 if (matchers != null) { 2620 if (matchers.isEmpty()) { 2621 // need no SNI matcher 2622 noSniMatcher = true; 2623 } // Otherwise, need not to set noSniMatcher 2624 2625 sniMatchers = matchers; 2626 } 2627 2628 applicationProtocols = params.getApplicationProtocols(); 2629 2630 if ((handshaker != null) && !handshaker.started()) { 2631 handshaker.setIdentificationProtocol(identificationProtocol); 2632 handshaker.setAlgorithmConstraints(algorithmConstraints); 2633 handshaker.setMaximumPacketSize(maximumPacketSize); 2634 handshaker.setApplicationProtocols(applicationProtocols); 2635 if (roleIsServer) { 2636 handshaker.setSNIMatchers(sniMatchers); 2637 handshaker.setUseCipherSuitesOrder(preferLocalCipherSuites); 2638 } else { 2639 handshaker.setSNIServerNames(serverNames); 2640 } 2641 } 2642 } 2643 2644 @Override 2645 public synchronized String getApplicationProtocol() { 2646 return applicationProtocol; 2647 } 2648 2649 @Override 2650 public synchronized String getHandshakeApplicationProtocol() { 2651 if ((handshaker != null) && !handshaker.started()) { 2652 return handshaker.getHandshakeApplicationProtocol(); 2653 } 2654 return null; 2655 } 2656 2657 // 2658 // We allocate a separate thread to deliver handshake completion 2659 // events. This ensures that the notifications don't block the 2660 // protocol state machine. 2661 // 2662 private static class NotifyHandshake implements Runnable { 2663 2664 private Set<Map.Entry<HandshakeCompletedListener,AccessControlContext>> 2665 targets; // who gets notified 2666 private HandshakeCompletedEvent event; // the notification 2667 2668 NotifyHandshake( 2669 Set<Map.Entry<HandshakeCompletedListener,AccessControlContext>> 2670 entrySet, HandshakeCompletedEvent e) { 2671 2672 targets = new HashSet<>(entrySet); // clone the entry set 2673 event = e; 2674 } 2675 2676 @Override 2677 public void run() { 2678 // Don't need to synchronize, as it only runs in one thread. 2679 for (Map.Entry<HandshakeCompletedListener,AccessControlContext> 2680 entry : targets) { 2681 2682 final HandshakeCompletedListener l = entry.getKey(); 2683 AccessControlContext acc = entry.getValue(); 2684 AccessController.doPrivileged(new PrivilegedAction<Void>() { 2685 @Override 2686 public Void run() { 2687 l.handshakeCompleted(event); 2688 return null; 2689 } 2690 }, acc); 2691 } 2692 } 2693 } 2694 2695 /** 2696 * Returns a printable representation of this end of the connection. 2697 */ 2698 @Override 2699 public String toString() { 2700 StringBuilder retval = new StringBuilder(80); 2701 2702 retval.append(Integer.toHexString(hashCode())); 2703 retval.append("["); 2704 retval.append(sess.getCipherSuite()); 2705 retval.append(": "); 2706 2707 retval.append(super.toString()); 2708 retval.append("]"); 2709 2710 return retval.toString(); 2711 } 2712 }