1 /*
   2  * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 
  27 package sun.security.ssl;
  28 
  29 import java.io.*;
  30 import java.nio.*;
  31 import java.net.*;
  32 import java.security.GeneralSecurityException;
  33 import java.security.AccessController;
  34 import java.security.AccessControlContext;
  35 import java.security.PrivilegedAction;
  36 import java.security.AlgorithmConstraints;
  37 import java.util.*;
  38 import java.util.concurrent.TimeUnit;
  39 import java.util.concurrent.locks.ReentrantLock;
  40 
  41 import javax.crypto.BadPaddingException;
  42 import javax.net.ssl.*;
  43 import sun.misc.ManagedLocalsThread;
  44 
  45 import jdk.internal.misc.JavaNetInetAddressAccess;
  46 import jdk.internal.misc.SharedSecrets;
  47 
  48 /**
  49  * Implementation of an SSL socket.  This is a normal connection type
  50  * socket, implementing SSL over some lower level socket, such as TCP.
  51  * Because it is layered over some lower level socket, it MUST override
  52  * all default socket methods.
  53  *
  54  * <P> This API offers a non-traditional option for establishing SSL
  55  * connections.  You may first establish the connection directly, then pass
  56  * that connection to the SSL socket constructor with a flag saying which
  57  * role should be taken in the handshake protocol.  (The two ends of the
  58  * connection must not choose the same role!)  This allows setup of SSL
  59  * proxying or tunneling, and also allows the kind of "role reversal"
  60  * that is required for most FTP data transfers.
  61  *
  62  * @see javax.net.ssl.SSLSocket
  63  * @see SSLServerSocket
  64  *
  65  * @author David Brownell
  66  */
  67 final public class SSLSocketImpl extends BaseSSLSocketImpl {
  68 
  69     /*
  70      * ERROR HANDLING GUIDELINES
  71      * (which exceptions to throw and catch and which not to throw and catch)
  72      *
  73      * . if there is an IOException (SocketException) when accessing the
  74      *   underlying Socket, pass it through
  75      *
  76      * . do not throw IOExceptions, throw SSLExceptions (or a subclass)
  77      *
  78      * . for internal errors (things that indicate a bug in JSSE or a
  79      *   grossly misconfigured J2RE), throw either an SSLException or
  80      *   a RuntimeException at your convenience.
  81      *
  82      * . handshaking code (Handshaker or HandshakeMessage) should generally
  83      *   pass through exceptions, but can handle them if they know what to
  84      *   do.
  85      *
  86      * . exception chaining should be used for all new code. If you happen
  87      *   to touch old code that does not use chaining, you should change it.
  88      *
  89      * . there is a top level exception handler that sits at all entry
  90      *   points from application code to SSLSocket read/write code. It
  91      *   makes sure that all errors are handled (see handleException()).
  92      *
  93      * . JSSE internal code should generally not call close(), call
  94      *   closeInternal().
  95      */
  96 
  97     /*
  98      * There's a state machine associated with each connection, which
  99      * among other roles serves to negotiate session changes.
 100      *
 101      * - START with constructor, until the TCP connection's around.
 102      * - HANDSHAKE picks session parameters before allowing traffic.
 103      *          There are many substates due to sequencing requirements
 104      *          for handshake messages.
 105      * - DATA may be transmitted.
 106      * - RENEGOTIATE state allows concurrent data and handshaking
 107      *          traffic ("same" substates as HANDSHAKE), and terminates
 108      *          in selection of new session (and connection) parameters
 109      * - ERROR state immediately precedes abortive disconnect.
 110      * - SENT_CLOSE sent a close_notify to the peer. For layered,
 111      *          non-autoclose socket, must now read close_notify
 112      *          from peer before closing the connection. For nonlayered or
 113      *          non-autoclose socket, close connection and go onto
 114      *          cs_CLOSED state.
 115      * - CLOSED after sending close_notify alert, & socket is closed.
 116      *          SSL connection objects are not reused.
 117      * - APP_CLOSED once the application calls close(). Then it behaves like
 118      *          a closed socket, e.g.. getInputStream() throws an Exception.
 119      *
 120      * State affects what SSL record types may legally be sent:
 121      *
 122      * - Handshake ... only in HANDSHAKE and RENEGOTIATE states
 123      * - App Data ... only in DATA and RENEGOTIATE states
 124      * - Alert ... in HANDSHAKE, DATA, RENEGOTIATE
 125      *
 126      * Re what may be received:  same as what may be sent, except that
 127      * HandshakeRequest handshaking messages can come from servers even
 128      * in the application data state, to request entry to RENEGOTIATE.
 129      *
 130      * The state machine within HANDSHAKE and RENEGOTIATE states controls
 131      * the pending session, not the connection state, until the change
 132      * cipher spec and "Finished" handshake messages are processed and
 133      * make the "new" session become the current one.
 134      *
 135      * NOTE: details of the SMs always need to be nailed down better.
 136      * The text above illustrates the core ideas.
 137      *
 138      *                +---->-------+------>--------->-------+
 139      *                |            |                        |
 140      *     <-----<    ^            ^  <-----<               v
 141      *START>----->HANDSHAKE>----->DATA>----->RENEGOTIATE  SENT_CLOSE
 142      *                v            v               v        |   |
 143      *                |            |               |        |   v
 144      *                +------------+---------------+        v ERROR
 145      *                |                                     |   |
 146      *                v                                     |   |
 147      *               ERROR>------>----->CLOSED<--------<----+-- +
 148      *                                     |
 149      *                                     v
 150      *                                 APP_CLOSED
 151      *
 152      * ALSO, note that the purpose of handshaking (renegotiation is
 153      * included) is to assign a different, and perhaps new, session to
 154      * the connection.  The SSLv3 spec is a bit confusing on that new
 155      * protocol feature.
 156      */
 157     private static final int    cs_START = 0;
 158     private static final int    cs_HANDSHAKE = 1;
 159     private static final int    cs_DATA = 2;
 160     private static final int    cs_RENEGOTIATE = 3;
 161     private static final int    cs_ERROR = 4;
 162     private static final int    cs_SENT_CLOSE = 5;
 163     private static final int    cs_CLOSED = 6;
 164     private static final int    cs_APP_CLOSED = 7;
 165 
 166     /*
 167      * Drives the protocol state machine.
 168      */
 169     private volatile int        connectionState;
 170 
 171     /*
 172      * Flag indicating if the next record we receive MUST be a Finished
 173      * message. Temporarily set during the handshake to ensure that
 174      * a change cipher spec message is followed by a finished message.
 175      */
 176     private boolean             expectingFinished;
 177 
 178     /*
 179      * For improved diagnostics, we detail connection closure
 180      * If the socket is closed (connectionState >= cs_ERROR),
 181      * closeReason != null indicates if the socket was closed
 182      * because of an error or because or normal shutdown.
 183      */
 184     private SSLException        closeReason;
 185 
 186     /*
 187      * Per-connection private state that doesn't change when the
 188      * session is changed.
 189      */
 190     private ClientAuthType      doClientAuth =
 191                                         ClientAuthType.CLIENT_AUTH_NONE;
 192     private boolean             roleIsServer;
 193     private boolean             enableSessionCreation = true;
 194     private String              host;
 195     private boolean             autoClose = true;
 196     private AccessControlContext acc;
 197 
 198     // The cipher suites enabled for use on this connection.
 199     private CipherSuiteList     enabledCipherSuites;
 200 
 201     // The endpoint identification protocol
 202     private String              identificationProtocol = null;
 203 
 204     // The cryptographic algorithm constraints
 205     private AlgorithmConstraints    algorithmConstraints = null;
 206 
 207     // The server name indication and matchers
 208     List<SNIServerName>         serverNames =
 209                                     Collections.<SNIServerName>emptyList();
 210     Collection<SNIMatcher>      sniMatchers =
 211                                     Collections.<SNIMatcher>emptyList();
 212 
 213     /*
 214      * READ ME * READ ME * READ ME * READ ME * READ ME * READ ME *
 215      * IMPORTANT STUFF TO UNDERSTANDING THE SYNCHRONIZATION ISSUES.
 216      * READ ME * READ ME * READ ME * READ ME * READ ME * READ ME *
 217      *
 218      * There are several locks here.
 219      *
 220      * The primary lock is the per-instance lock used by
 221      * synchronized(this) and the synchronized methods.  It controls all
 222      * access to things such as the connection state and variables which
 223      * affect handshaking.  If we are inside a synchronized method, we
 224      * can access the state directly, otherwise, we must use the
 225      * synchronized equivalents.
 226      *
 227      * The handshakeLock is used to ensure that only one thread performs
 228      * the *complete initial* handshake.  If someone is handshaking, any
 229      * stray application or startHandshake() requests who find the
 230      * connection state is cs_HANDSHAKE will stall on handshakeLock
 231      * until handshaking is done.  Once the handshake is done, we either
 232      * succeeded or failed, but we can never go back to the cs_HANDSHAKE
 233      * or cs_START state again.
 234      *
 235      * Note that the read/write() calls here in SSLSocketImpl are not
 236      * obviously synchronized.  In fact, it's very nonintuitive, and
 237      * requires careful examination of code paths.  Grab some coffee,
 238      * and be careful with any code changes.
 239      *
 240      * There can be only three threads active at a time in the I/O
 241      * subsection of this class.
 242      *    1.  startHandshake
 243      *    2.  AppInputStream
 244      *    3.  AppOutputStream
 245      * One thread could call startHandshake().
 246      * AppInputStream/AppOutputStream read() and write() calls are each
 247      * synchronized on 'this' in their respective classes, so only one
 248      * app. thread will be doing a SSLSocketImpl.read() or .write()'s at
 249      * a time.
 250      *
 251      * If handshaking is required (state cs_HANDSHAKE), and
 252      * getConnectionState() for some/all threads returns cs_HANDSHAKE,
 253      * only one can grab the handshakeLock, and the rest will stall
 254      * either on getConnectionState(), or on the handshakeLock if they
 255      * happen to successfully race through the getConnectionState().
 256      *
 257      * If a writer is doing the initial handshaking, it must create a
 258      * temporary reader to read the responses from the other side.  As a
 259      * side-effect, the writer's reader will have priority over any
 260      * other reader.  However, the writer's reader is not allowed to
 261      * consume any application data.  When handshakeLock is finally
 262      * released, we either have a cs_DATA connection, or a
 263      * cs_CLOSED/cs_ERROR socket.
 264      *
 265      * The writeLock is held while writing on a socket connection and
 266      * also to protect the MAC and cipher for their direction.  The
 267      * writeLock is package private for Handshaker which holds it while
 268      * writing the ChangeCipherSpec message.
 269      *
 270      * To avoid the problem of a thread trying to change operational
 271      * modes on a socket while handshaking is going on, we synchronize
 272      * on 'this'.  If handshaking has not started yet, we tell the
 273      * handshaker to change its mode.  If handshaking has started,
 274      * we simply store that request until the next pending session
 275      * is created, at which time the new handshaker's state is set.
 276      *
 277      * The readLock is held during readRecord(), which is responsible
 278      * for reading an SSLInputRecord, decrypting it, and processing it.
 279      * The readLock ensures that these three steps are done atomically
 280      * and that once started, no other thread can block on SSLInputRecord.read.
 281      * This is necessary so that processing of close_notify alerts
 282      * from the peer are handled properly.
 283      */
 284     final private Object        handshakeLock = new Object();
 285     final ReentrantLock         writeLock = new ReentrantLock();
 286     final private Object        readLock = new Object();
 287 
 288     InputRecord                 inputRecord;
 289     OutputRecord                outputRecord;
 290 
 291     /*
 292      * security parameters for secure renegotiation.
 293      */
 294     private boolean             secureRenegotiation;
 295     private byte[]              clientVerifyData;
 296     private byte[]              serverVerifyData;
 297 
 298     /*
 299      * The authentication context holds all information used to establish
 300      * who this end of the connection is (certificate chains, private keys,
 301      * etc) and who is trusted (e.g. as CAs or websites).
 302      */
 303     private SSLContextImpl      sslContext;
 304 
 305 
 306     /*
 307      * This connection is one of (potentially) many associated with
 308      * any given session.  The output of the handshake protocol is a
 309      * new session ... although all the protocol description talks
 310      * about changing the cipher spec (and it does change), in fact
 311      * that's incidental since it's done by changing everything that
 312      * is associated with a session at the same time.  (TLS/IETF may
 313      * change that to add client authentication w/o new key exchg.)
 314      */
 315     private Handshaker                  handshaker;
 316     private SSLSessionImpl              sess;
 317     private volatile SSLSessionImpl     handshakeSession;
 318 
 319 
 320     /*
 321      * If anyone wants to get notified about handshake completions,
 322      * they'll show up on this list.
 323      */
 324     private HashMap<HandshakeCompletedListener, AccessControlContext>
 325                                                         handshakeListeners;
 326 
 327     /*
 328      * Reuse the same internal input/output streams.
 329      */
 330     private InputStream         sockInput;
 331     private OutputStream        sockOutput;
 332 
 333 
 334     /*
 335      * These input and output streams block their data in SSL records,
 336      * and usually arrange integrity and privacy protection for those
 337      * records.  The guts of the SSL protocol are wrapped up in these
 338      * streams, and in the handshaking that establishes the details of
 339      * that integrity and privacy protection.
 340      */
 341     private AppInputStream      input;
 342     private AppOutputStream     output;
 343 
 344     /*
 345      * The protocol versions enabled for use on this connection.
 346      *
 347      * Note: we support a pseudo protocol called SSLv2Hello which when
 348      * set will result in an SSL v2 Hello being sent with SSL (version 3.0)
 349      * or TLS (version 3.1, 3.2, etc.) version info.
 350      */
 351     private ProtocolList enabledProtocols;
 352 
 353     /*
 354      * The SSL version associated with this connection.
 355      */
 356     private ProtocolVersion     protocolVersion = ProtocolVersion.DEFAULT_TLS;
 357 
 358     /* Class and subclass dynamic debugging support */
 359     private static final Debug debug = Debug.getInstance("ssl");
 360 
 361     /*
 362      * Is it the first application record to write?
 363      */
 364     private boolean isFirstAppOutputRecord = true;
 365 
 366     /*
 367      * If AppOutputStream needs to delay writes of small packets, we
 368      * will use this to store the data until we actually do the write.
 369      */
 370     private ByteArrayOutputStream heldRecordBuffer = null;
 371 
 372     /*
 373      * Whether local cipher suites preference in server side should be
 374      * honored during handshaking?
 375      */
 376     private boolean preferLocalCipherSuites = false;
 377 
 378     /*
 379      * The maximum expected network packet size for SSL/TLS/DTLS records.
 380      */
 381     private int maximumPacketSize = 0;
 382 
 383     /*
 384      * Is the local name service trustworthy?
 385      *
 386      * If the local name service is not trustworthy, reverse host name
 387      * resolution should not be performed for endpoint identification.
 388      */
 389     static final boolean trustNameService =
 390             Debug.getBooleanProperty("jdk.tls.trustNameService", false);
 391 
 392     //
 393     // CONSTRUCTORS AND INITIALIZATION CODE
 394     //
 395 
 396     /**
 397      * Constructs an SSL connection to a named host at a specified port,
 398      * using the authentication context provided.  This endpoint acts as
 399      * the client, and may rejoin an existing SSL session if appropriate.
 400      *
 401      * @param context authentication context to use
 402      * @param host name of the host with which to connect
 403      * @param port number of the server's port
 404      */
 405     SSLSocketImpl(SSLContextImpl context, String host, int port)
 406             throws IOException, UnknownHostException {
 407         super();
 408         this.host = host;
 409         this.serverNames =
 410             Utilities.addToSNIServerNameList(this.serverNames, this.host);
 411         init(context, false);
 412         SocketAddress socketAddress =
 413                host != null ? new InetSocketAddress(host, port) :
 414                new InetSocketAddress(InetAddress.getByName(null), port);
 415         connect(socketAddress, 0);
 416     }
 417 
 418 
 419     /**
 420      * Constructs an SSL connection to a server at a specified address.
 421      * and TCP port, using the authentication context provided.  This
 422      * endpoint acts as the client, and may rejoin an existing SSL session
 423      * if appropriate.
 424      *
 425      * @param context authentication context to use
 426      * @param address the server's host
 427      * @param port its port
 428      */
 429     SSLSocketImpl(SSLContextImpl context, InetAddress host, int port)
 430             throws IOException {
 431         super();
 432         init(context, false);
 433         SocketAddress socketAddress = new InetSocketAddress(host, port);
 434         connect(socketAddress, 0);
 435     }
 436 
 437     /**
 438      * Constructs an SSL connection to a named host at a specified port,
 439      * using the authentication context provided.  This endpoint acts as
 440      * the client, and may rejoin an existing SSL session if appropriate.
 441      *
 442      * @param context authentication context to use
 443      * @param host name of the host with which to connect
 444      * @param port number of the server's port
 445      * @param localAddr the local address the socket is bound to
 446      * @param localPort the local port the socket is bound to
 447      */
 448     SSLSocketImpl(SSLContextImpl context, String host, int port,
 449             InetAddress localAddr, int localPort)
 450             throws IOException, UnknownHostException {
 451         super();
 452         this.host = host;
 453         this.serverNames =
 454             Utilities.addToSNIServerNameList(this.serverNames, this.host);
 455         init(context, false);
 456         bind(new InetSocketAddress(localAddr, localPort));
 457         SocketAddress socketAddress =
 458                host != null ? new InetSocketAddress(host, port) :
 459                new InetSocketAddress(InetAddress.getByName(null), port);
 460         connect(socketAddress, 0);
 461     }
 462 
 463 
 464     /**
 465      * Constructs an SSL connection to a server at a specified address.
 466      * and TCP port, using the authentication context provided.  This
 467      * endpoint acts as the client, and may rejoin an existing SSL session
 468      * if appropriate.
 469      *
 470      * @param context authentication context to use
 471      * @param address the server's host
 472      * @param port its port
 473      * @param localAddr the local address the socket is bound to
 474      * @param localPort the local port the socket is bound to
 475      */
 476     SSLSocketImpl(SSLContextImpl context, InetAddress host, int port,
 477             InetAddress localAddr, int localPort)
 478             throws IOException {
 479         super();
 480         init(context, false);
 481         bind(new InetSocketAddress(localAddr, localPort));
 482         SocketAddress socketAddress = new InetSocketAddress(host, port);
 483         connect(socketAddress, 0);
 484     }
 485 
 486     /*
 487      * Package-private constructor used ONLY by SSLServerSocket.  The
 488      * java.net package accepts the TCP connection after this call is
 489      * made.  This just initializes handshake state to use "server mode",
 490      * giving control over the use of SSL client authentication.
 491      */
 492     SSLSocketImpl(SSLContextImpl context, boolean serverMode,
 493             CipherSuiteList suites, ClientAuthType clientAuth,
 494             boolean sessionCreation, ProtocolList protocols,
 495             String identificationProtocol,
 496             AlgorithmConstraints algorithmConstraints,
 497             Collection<SNIMatcher> sniMatchers,
 498             boolean preferLocalCipherSuites) throws IOException {
 499 
 500         super();
 501         doClientAuth = clientAuth;
 502         enableSessionCreation = sessionCreation;
 503         this.identificationProtocol = identificationProtocol;
 504         this.algorithmConstraints = algorithmConstraints;
 505         this.sniMatchers = sniMatchers;
 506         this.preferLocalCipherSuites = preferLocalCipherSuites;
 507         init(context, serverMode);
 508 
 509         /*
 510          * Override what was picked out for us.
 511          */
 512         enabledCipherSuites = suites;
 513         enabledProtocols = protocols;
 514     }
 515 
 516 
 517     /**
 518      * Package-private constructor used to instantiate an unconnected
 519      * socket. The java.net package will connect it, either when the
 520      * connect() call is made by the application.  This instance is
 521      * meant to set handshake state to use "client mode".
 522      */
 523     SSLSocketImpl(SSLContextImpl context) {
 524         super();
 525         init(context, false);
 526     }
 527 
 528 
 529     /**
 530      * Layer SSL traffic over an existing connection, rather than creating
 531      * a new connection.  The existing connection may be used only for SSL
 532      * traffic (using this SSLSocket) until the SSLSocket.close() call
 533      * returns. However, if a protocol error is detected, that existing
 534      * connection is automatically closed.
 535      *
 536      * <P> This particular constructor always uses the socket in the
 537      * role of an SSL client. It may be useful in cases which start
 538      * using SSL after some initial data transfers, for example in some
 539      * SSL tunneling applications or as part of some kinds of application
 540      * protocols which negotiate use of a SSL based security.
 541      *
 542      * @param sock the existing connection
 543      * @param context the authentication context to use
 544      */
 545     SSLSocketImpl(SSLContextImpl context, Socket sock, String host,
 546             int port, boolean autoClose) throws IOException {
 547         super(sock);
 548         // We always layer over a connected socket
 549         if (!sock.isConnected()) {
 550             throw new SocketException("Underlying socket is not connected");
 551         }
 552         this.host = host;
 553         this.serverNames =
 554             Utilities.addToSNIServerNameList(this.serverNames, this.host);
 555         init(context, false);
 556         this.autoClose = autoClose;
 557         doneConnect();
 558     }
 559 
 560     /**
 561      * Creates a server mode {@link Socket} layered over an
 562      * existing connected socket, and is able to read data which has
 563      * already been consumed/removed from the {@link Socket}'s
 564      * underlying {@link InputStream}.
 565      */
 566     SSLSocketImpl(SSLContextImpl context, Socket sock,
 567             InputStream consumed, boolean autoClose) throws IOException {
 568         super(sock, consumed);
 569         // We always layer over a connected socket
 570         if (!sock.isConnected()) {
 571             throw new SocketException("Underlying socket is not connected");
 572         }
 573 
 574         // In server mode, it is not necessary to set host and serverNames.
 575         // Otherwise, would require a reverse DNS lookup to get the hostname.
 576 
 577         init(context, true);
 578         this.autoClose = autoClose;
 579         doneConnect();
 580     }
 581 
 582     /**
 583      * Initializes the client socket.
 584      */
 585     private void init(SSLContextImpl context, boolean isServer) {
 586         sslContext = context;
 587         sess = SSLSessionImpl.nullSession;
 588         handshakeSession = null;
 589 
 590         /*
 591          * role is as specified, state is START until after
 592          * the low level connection's established.
 593          */
 594         roleIsServer = isServer;
 595         connectionState = cs_START;
 596 
 597         // initial security parameters for secure renegotiation
 598         secureRenegotiation = false;
 599         clientVerifyData = new byte[0];
 600         serverVerifyData = new byte[0];
 601 
 602         enabledCipherSuites =
 603                 sslContext.getDefaultCipherSuiteList(roleIsServer);
 604         enabledProtocols =
 605                 sslContext.getDefaultProtocolList(roleIsServer);
 606 
 607         inputRecord = new SSLSocketInputRecord();;
 608         outputRecord = new SSLSocketOutputRecord();
 609 
 610         maximumPacketSize = outputRecord.getMaxPacketSize();
 611 
 612         // save the acc
 613         acc = AccessController.getContext();
 614 
 615         input = new AppInputStream(this);
 616         output = new AppOutputStream(this);
 617     }
 618 
 619     /**
 620      * Connects this socket to the server with a specified timeout
 621      * value.
 622      *
 623      * This method is either called on an unconnected SSLSocketImpl by the
 624      * application, or it is called in the constructor of a regular
 625      * SSLSocketImpl. If we are layering on top on another socket, then
 626      * this method should not be called, because we assume that the
 627      * underlying socket is already connected by the time it is passed to
 628      * us.
 629      *
 630      * @param   endpoint the <code>SocketAddress</code>
 631      * @param   timeout  the timeout value to be used, 0 is no timeout
 632      * @throws  IOException if an error occurs during the connection
 633      * @throws  SocketTimeoutException if timeout expires before connecting
 634      */
 635     @Override
 636     public void connect(SocketAddress endpoint, int timeout)
 637             throws IOException {
 638 
 639         if (isLayered()) {
 640             throw new SocketException("Already connected");
 641         }
 642 
 643         if (!(endpoint instanceof InetSocketAddress)) {
 644             throw new SocketException(
 645                                   "Cannot handle non-Inet socket addresses.");
 646         }
 647 
 648         super.connect(endpoint, timeout);
 649         doneConnect();
 650     }
 651 
 652     /**
 653      * Initialize the handshaker and socket streams.
 654      *
 655      * Called by connect, the layered constructor, and SSLServerSocket.
 656      */
 657     void doneConnect() throws IOException {
 658         /*
 659          * Save the input and output streams.  May be done only after
 660          * java.net actually connects using the socket "self", else
 661          * we get some pretty bizarre failure modes.
 662          */
 663         sockInput = super.getInputStream();
 664         sockOutput = super.getOutputStream();
 665 
 666         inputRecord.setDeliverStream(sockOutput);
 667         outputRecord.setDeliverStream(sockOutput);
 668 
 669         /*
 670          * Move to handshaking state, with pending session initialized
 671          * to defaults and the appropriate kind of handshaker set up.
 672          */
 673         initHandshaker();
 674     }
 675 
 676     synchronized private int getConnectionState() {
 677         return connectionState;
 678     }
 679 
 680     synchronized private void setConnectionState(int state) {
 681         connectionState = state;
 682     }
 683 
 684     AccessControlContext getAcc() {
 685         return acc;
 686     }
 687 
 688     //
 689     // READING AND WRITING RECORDS
 690     //
 691 
 692     /*
 693      * Application data record output.
 694      *
 695      * Application data can't be sent until the first handshake establishes
 696      * a session.
 697      */
 698     void writeRecord(byte[] source, int offset, int length) throws IOException {
 699         /*
 700          * The loop is in case of HANDSHAKE --> ERROR transitions, etc
 701          */
 702         // Don't bother to check the emptiness of source applicatoin data
 703         // before the security connection established.
 704         for (boolean readyForApp = false; !readyForApp;) {
 705             /*
 706              * Not all states support passing application data.  We
 707              * synchronize access to the connection state, so that
 708              * synchronous handshakes can complete cleanly.
 709              */
 710             switch (getConnectionState()) {
 711 
 712                 /*
 713                  * We've deferred the initial handshaking till just now,
 714                  * when presumably a thread's decided it's OK to block for
 715                  * longish periods of time for I/O purposes (as well as
 716                  * configured the cipher suites it wants to use).
 717                  */
 718                 case cs_HANDSHAKE:
 719                     performInitialHandshake();
 720                     break;
 721 
 722                 case cs_DATA:
 723                 case cs_RENEGOTIATE:
 724                     readyForApp = true;
 725                     break;
 726 
 727                 case cs_ERROR:
 728                     fatal(Alerts.alert_close_notify,
 729                             "error while writing to socket");
 730                     break; // dummy
 731 
 732                 case cs_SENT_CLOSE:
 733                 case cs_CLOSED:
 734                 case cs_APP_CLOSED:
 735                     // we should never get here (check in AppOutputStream)
 736                     // this is just a fallback
 737                     if (closeReason != null) {
 738                         throw closeReason;
 739                     } else {
 740                         throw new SocketException("Socket closed");
 741                     }
 742 
 743                 /*
 744                  * Else something's goofy in this state machine's use.
 745                  */
 746                 default:
 747                     throw new SSLProtocolException(
 748                             "State error, send app data");
 749             }
 750         }
 751 
 752         //
 753         // Don't bother to really write empty records.  We went this
 754         // far to drive the handshake machinery, for correctness; not
 755         // writing empty records improves performance by cutting CPU
 756         // time and network resource usage.  However, some protocol
 757         // implementations are fragile and don't like to see empty
 758         // records, so this also increases robustness.
 759         //
 760         if (length > 0) {
 761             writeLock.lock();
 762             try {
 763                 outputRecord.deliver(source, offset, length);
 764             } catch (SSLHandshakeException she) {
 765                 // may be record sequence number overflow
 766                 fatal(Alerts.alert_handshake_failure, she);
 767             } catch (IOException e) {
 768                 fatal(Alerts.alert_unexpected_message, e);
 769             } finally {
 770                 writeLock.unlock();
 771             }
 772         }
 773 
 774         /*
 775          * Check the sequence number state
 776          *
 777          * Note that in order to maintain the connection I/O
 778          * properly, we check the sequence number after the last
 779          * record writing process. As we request renegotiation
 780          * or close the connection for wrapped sequence number
 781          * when there is enough sequence number space left to
 782          * handle a few more records, so the sequence number
 783          * of the last record cannot be wrapped.
 784          *
 785          * Don't bother to kickstart the renegotiation when the
 786          * local is asking for it.
 787          */
 788         if ((connectionState == cs_DATA) && outputRecord.seqNumIsHuge()) {
 789             /*
 790              * Ask for renegotiation when need to renew sequence number.
 791              *
 792              * Don't bother to kickstart the renegotiation when the local is
 793              * asking for it.
 794              */
 795             if (debug != null && Debug.isOn("ssl")) {
 796                 System.out.println(Thread.currentThread().getName() +
 797                         ", request renegotiation " +
 798                         "to avoid sequence number overflow");
 799             }
 800 
 801             startHandshake();
 802         }
 803     }
 804 
 805     /*
 806      * Alert record output.
 807      */
 808     void writeAlert(byte level, byte description) throws IOException {
 809 
 810         // If the record is a close notify alert, we need to honor
 811         // socket option SO_LINGER. Note that we will try to send
 812         // the close notify even if the SO_LINGER set to zero.
 813         if ((description == Alerts.alert_close_notify) && getSoLinger() >= 0) {
 814 
 815             // keep and clear the current thread interruption status.
 816             boolean interrupted = Thread.interrupted();
 817             try {
 818                 if (writeLock.tryLock(getSoLinger(), TimeUnit.SECONDS)) {
 819                     try {
 820                         outputRecord.encodeAlert(level, description);
 821                     } finally {
 822                         writeLock.unlock();
 823                     }
 824                 } else {
 825                     SSLException ssle = new SSLException(
 826                             "SO_LINGER timeout," +
 827                             " close_notify message cannot be sent.");
 828 
 829 
 830                     // For layered, non-autoclose sockets, we are not
 831                     // able to bring them into a usable state, so we
 832                     // treat it as fatal error.
 833                     if (isLayered() && !autoClose) {
 834                         // Note that the alert description is
 835                         // specified as -1, so no message will be send
 836                         // to peer anymore.
 837                         fatal((byte)(-1), ssle);
 838                     } else if ((debug != null) && Debug.isOn("ssl")) {
 839                         System.out.println(
 840                             Thread.currentThread().getName() +
 841                             ", received Exception: " + ssle);
 842                     }
 843 
 844                     // RFC2246 requires that the session becomes
 845                     // unresumable if any connection is terminated
 846                     // without proper close_notify messages with
 847                     // level equal to warning.
 848                     //
 849                     // RFC4346 no longer requires that a session not be
 850                     // resumed if failure to properly close a connection.
 851                     //
 852                     // We choose to make the session unresumable if
 853                     // failed to send the close_notify message.
 854                     //
 855                     sess.invalidate();
 856                 }
 857             } catch (InterruptedException ie) {
 858                 // keep interrupted status
 859                 interrupted = true;
 860             }
 861 
 862             // restore the interrupted status
 863             if (interrupted) {
 864                 Thread.currentThread().interrupt();
 865             }
 866         } else {
 867             writeLock.lock();
 868             try {
 869                 outputRecord.encodeAlert(level, description);
 870             } finally {
 871                 writeLock.unlock();
 872             }
 873         }
 874 
 875         // Don't bother to check sequence number overlap here.  If sequence
 876         // number is huge, there should be enough sequence number space to
 877         // request renegotiation in next application data read and write.
 878     }
 879 
 880 
 881     int bytesInCompletePacket() throws IOException {
 882         if (getConnectionState() == cs_HANDSHAKE) {
 883             performInitialHandshake();
 884         }
 885 
 886         synchronized (readLock) {
 887             int state = getConnectionState();
 888             if ((state == cs_CLOSED) ||
 889                     (state == cs_ERROR) || (state == cs_APP_CLOSED)) {
 890                 return -1;
 891             }
 892 
 893             try {
 894                 return inputRecord.bytesInCompletePacket(sockInput);
 895             } catch (EOFException eofe) {
 896                 boolean handshaking = (connectionState <= cs_HANDSHAKE);
 897                 boolean rethrow = requireCloseNotify || handshaking;
 898                 if ((debug != null) && Debug.isOn("ssl")) {
 899                     System.out.println(Thread.currentThread().getName() +
 900                         ", received EOFException: "
 901                         + (rethrow ? "error" : "ignored"));
 902                 }
 903 
 904                 if (!rethrow) {
 905                     // treat as if we had received a close_notify
 906                     closeInternal(false);
 907                 } else {
 908                     SSLException e;
 909                     if (handshaking) {
 910                         e = new SSLHandshakeException(
 911                             "Remote host terminated the handshake");
 912                     } else {
 913                         e = new SSLProtocolException(
 914                             "Remote host terminated the handshake");
 915                     }
 916                     e.initCause(eofe);
 917                     throw e;
 918                 }
 919             }
 920 
 921             return -1;
 922         }
 923     }
 924 
 925     // the caller have synchronized readLock
 926     void expectingFinishFlight() {
 927         inputRecord.expectingFinishFlight();
 928     }
 929 
 930     /*
 931      * Read an application data record.
 932      *
 933      * Alerts and handshake messages are internally handled directly.
 934      */
 935     int readRecord(ByteBuffer buffer) throws IOException {
 936         if (getConnectionState() == cs_HANDSHAKE) {
 937             performInitialHandshake();
 938         }
 939 
 940         return readRecord(buffer, true);
 941     }
 942 
 943     /*
 944      * Read a record, no application data input required.
 945      *
 946      * Alerts and handshake messages are internally handled directly.
 947      */
 948     int readRecord(boolean needAppData) throws IOException {
 949         return readRecord(null, needAppData);
 950     }
 951 
 952     /*
 953      * Clear the pipeline of records from the peer, optionally returning
 954      * application data.   Caller is responsible for knowing that it's
 955      * possible to do this kind of clearing, if they don't want app
 956      * data -- e.g. since it's the initial SSL handshake.
 957      *
 958      * Don't synchronize (this) during a blocking read() since it
 959      * protects data which is accessed on the write side as well.
 960      */
 961     private int readRecord(ByteBuffer buffer, boolean needAppData)
 962             throws IOException {
 963         int state;
 964 
 965         // readLock protects reading and processing of an SSLInputRecord.
 966         // It keeps the reading from sockInput and processing of the record
 967         // atomic so that no two threads can be blocked on the
 968         // read from the same input stream at the same time.
 969         // This is required for example when a reader thread is
 970         // blocked on the read and another thread is trying to
 971         // close the socket. For a non-autoclose, layered socket,
 972         // the thread performing the close needs to read the close_notify.
 973         //
 974         // Use readLock instead of 'this' for locking because
 975         // 'this' also protects data accessed during writing.
 976         synchronized (readLock) {
 977             /*
 978              * Read and handle records ... return application data
 979              * ONLY if it's needed.
 980              */
 981             Plaintext plainText = null;
 982             while (((state = getConnectionState()) != cs_CLOSED) &&
 983                     (state != cs_ERROR) && (state != cs_APP_CLOSED)) {
 984                 // clean the buffer
 985                 if (buffer != null) {
 986                     buffer.clear();
 987                 }
 988 
 989                 /*
 990                  * Read a record ... maybe emitting an alert if we get a
 991                  * comprehensible but unsupported "hello" message during
 992                  * format checking (e.g. V2).
 993                  */
 994                 try {
 995                     plainText = inputRecord.decode(sockInput, buffer);
 996                 } catch (BadPaddingException bpe) {
 997                     byte alertType = (state != cs_DATA) ?
 998                             Alerts.alert_handshake_failure :
 999                             Alerts.alert_bad_record_mac;
1000                     fatal(alertType, bpe.getMessage(), bpe);
1001                 } catch (SSLProtocolException spe) {
1002                     try {
1003                         fatal(Alerts.alert_unexpected_message, spe);
1004                     } catch (IOException x) {
1005                         // discard this exception, throw the original exception
1006                     }
1007                     throw spe;
1008                 } catch (SSLHandshakeException she) {
1009                     // may be record sequence number overflow
1010                     fatal(Alerts.alert_handshake_failure, she);
1011                 } catch (EOFException eof) {
1012                     boolean handshaking = (connectionState <= cs_HANDSHAKE);
1013                     boolean rethrow = requireCloseNotify || handshaking;
1014                     if ((debug != null) && Debug.isOn("ssl")) {
1015                         System.out.println(Thread.currentThread().getName() +
1016                             ", received EOFException: "
1017                             + (rethrow ? "error" : "ignored"));
1018                     }
1019                     if (rethrow) {
1020                         SSLException e;
1021                         if (handshaking) {
1022                             e = new SSLHandshakeException(
1023                                     "Remote host terminated the handshake");
1024                         } else {
1025                             e = new SSLProtocolException(
1026                                     "Remote host terminated the connection");
1027                         }
1028                         e.initCause(eof);
1029                         throw e;
1030                     } else {
1031                         // treat as if we had received a close_notify
1032                         closeInternal(false);
1033                         continue;
1034                     }
1035                 }
1036 
1037                 // PlainText should never be null. Process input record.
1038                 int volume = processInputRecord(plainText, needAppData);
1039 
1040                 if (plainText.contentType == Record.ct_application_data) {
1041                     return volume;
1042                 }
1043 
1044                 if (plainText.contentType == Record.ct_handshake) {
1045                     if (!needAppData && connectionState == cs_DATA) {
1046                         return volume;
1047                     }   // otherwise, need to read more for app data.
1048                 }
1049 
1050                 // continue to read more net data
1051             }   // while
1052 
1053             //
1054             // couldn't read, due to some kind of error
1055             //
1056             return -1;
1057         }  // readLock synchronization
1058     }
1059 
1060     /*
1061      * Process the plainText input record.
1062      */
1063     private synchronized int processInputRecord(
1064             Plaintext plainText, boolean needAppData) throws IOException {
1065 
1066         /*
1067          * Process the record.
1068          */
1069         int volume = 0;    // no application data
1070         switch (plainText.contentType) {
1071             case Record.ct_handshake:
1072                 /*
1073                  * Handshake messages always go to a pending session
1074                  * handshaker ... if there isn't one, create one.  This
1075                  * must work asynchronously, for renegotiation.
1076                  *
1077                  * NOTE that handshaking will either resume a session
1078                  * which was in the cache (and which might have other
1079                  * connections in it already), or else will start a new
1080                  * session (new keys exchanged) with just this connection
1081                  * in it.
1082                  */
1083                 initHandshaker();
1084                 if (!handshaker.activated()) {
1085                     // prior to handshaking, activate the handshake
1086                     if (connectionState == cs_RENEGOTIATE) {
1087                         // don't use SSLv2Hello when renegotiating
1088                         handshaker.activate(protocolVersion);
1089                     } else {
1090                         handshaker.activate(null);
1091                     }
1092                 }
1093 
1094                 /*
1095                  * process the handshake record ... may contain just
1096                  * a partial handshake message or multiple messages.
1097                  *
1098                  * The handshaker state machine will ensure that it's
1099                  * a finished message.
1100                  */
1101                 handshaker.processRecord(plainText.fragment, expectingFinished);
1102                 expectingFinished = false;
1103 
1104                 if (handshaker.invalidated) {
1105                     handshaker = null;
1106                     inputRecord.setHandshakeHash(null);
1107                     outputRecord.setHandshakeHash(null);
1108 
1109                     // if state is cs_RENEGOTIATE, revert it to cs_DATA
1110                     if (connectionState == cs_RENEGOTIATE) {
1111                         connectionState = cs_DATA;
1112                     }
1113                 } else if (handshaker.isDone()) {
1114                     // reset the parameters for secure renegotiation.
1115                     secureRenegotiation =
1116                                     handshaker.isSecureRenegotiation();
1117                     clientVerifyData = handshaker.getClientVerifyData();
1118                     serverVerifyData = handshaker.getServerVerifyData();
1119 
1120                     sess = handshaker.getSession();
1121                     handshakeSession = null;
1122                     handshaker = null;
1123                     inputRecord.setHandshakeHash(null);
1124                     outputRecord.setHandshakeHash(null);
1125                     connectionState = cs_DATA;
1126 
1127                     //
1128                     // Tell folk about handshake completion, but do
1129                     // it in a separate thread.
1130                     //
1131                     if (handshakeListeners != null) {
1132                         HandshakeCompletedEvent event =
1133                             new HandshakeCompletedEvent(this, sess);
1134 
1135                         Thread thread = new ManagedLocalsThread(
1136                             new NotifyHandshake(
1137                                 handshakeListeners.entrySet(), event),
1138                             "HandshakeCompletedNotify-Thread");
1139                         thread.start();
1140                     }
1141                 }
1142 
1143                 break;
1144 
1145             case Record.ct_application_data:
1146                 if (connectionState != cs_DATA
1147                         && connectionState != cs_RENEGOTIATE
1148                         && connectionState != cs_SENT_CLOSE) {
1149                     throw new SSLProtocolException(
1150                         "Data received in non-data state: " +
1151                         connectionState);
1152                 }
1153                 if (expectingFinished) {
1154                     throw new SSLProtocolException
1155                             ("Expecting finished message, received data");
1156                 }
1157                 if (!needAppData) {
1158                     throw new SSLException("Discarding app data");
1159                 }
1160 
1161                 volume = plainText.fragment.remaining();
1162                 break;
1163 
1164             case Record.ct_alert:
1165                 recvAlert(plainText.fragment);
1166                 break;
1167 
1168             case Record.ct_change_cipher_spec:
1169                 if ((connectionState != cs_HANDSHAKE
1170                         && connectionState != cs_RENEGOTIATE)) {
1171                     // For the CCS message arriving in the wrong state
1172                     fatal(Alerts.alert_unexpected_message,
1173                             "illegal change cipher spec msg, conn state = "
1174                             + connectionState);
1175                 } else if (plainText.fragment.remaining() != 1
1176                         || plainText.fragment.get() != 1) {
1177                     // For structural/content issues with the CCS
1178                     fatal(Alerts.alert_unexpected_message,
1179                             "Malformed change cipher spec msg");
1180                 }
1181 
1182                 //
1183                 // The first message after a change_cipher_spec
1184                 // record MUST be a "Finished" handshake record,
1185                 // else it's a protocol violation.  We force this
1186                 // to be checked by a minor tweak to the state
1187                 // machine.
1188                 //
1189                 handshaker.receiveChangeCipherSpec();
1190 
1191                 CipherBox readCipher;
1192                 Authenticator readAuthenticator;
1193                 try {
1194                     readCipher = handshaker.newReadCipher();
1195                     readAuthenticator = handshaker.newReadAuthenticator();
1196                 } catch (GeneralSecurityException e) {
1197                     // can't happen
1198                     throw new SSLException("Algorithm missing:  ", e);
1199                 }
1200                 inputRecord.changeReadCiphers(readAuthenticator, readCipher);
1201 
1202                 // next message MUST be a finished message
1203                 expectingFinished = true;
1204 
1205                 break;
1206 
1207             default:
1208                 //
1209                 // TLS requires that unrecognized records be ignored.
1210                 //
1211                 if (debug != null && Debug.isOn("ssl")) {
1212                     System.out.println(Thread.currentThread().getName() +
1213                         ", Received record type: " + plainText.contentType);
1214                 }
1215                 break;
1216         }
1217 
1218         /*
1219          * Check the sequence number state
1220          *
1221          * Note that in order to maintain the connection I/O
1222          * properly, we check the sequence number after the last
1223          * record reading process. As we request renegotiation
1224          * or close the connection for wrapped sequence number
1225          * when there is enough sequence number space left to
1226          * handle a few more records, so the sequence number
1227          * of the last record cannot be wrapped.
1228          *
1229          * Don't bother to kickstart the renegotiation when the
1230          * local is asking for it.
1231          */
1232         if ((connectionState == cs_DATA) && inputRecord.seqNumIsHuge()) {
1233             /*
1234              * Ask for renegotiation when need to renew sequence number.
1235              *
1236              * Don't bother to kickstart the renegotiation when the local is
1237              * asking for it.
1238              */
1239             if (debug != null && Debug.isOn("ssl")) {
1240                 System.out.println(Thread.currentThread().getName() +
1241                         ", request renegotiation " +
1242                         "to avoid sequence number overflow");
1243             }
1244 
1245             startHandshake();
1246         }
1247 
1248         return volume;
1249     }
1250 
1251 
1252     //
1253     // HANDSHAKE RELATED CODE
1254     //
1255 
1256     /**
1257      * Return the AppInputStream. For use by Handshaker only.
1258      */
1259     AppInputStream getAppInputStream() {
1260         return input;
1261     }
1262 
1263     /**
1264      * Return the AppOutputStream. For use by Handshaker only.
1265      */
1266     AppOutputStream getAppOutputStream() {
1267         return output;
1268     }
1269 
1270     /**
1271      * Initialize the handshaker object. This means:
1272      *
1273      *  . if a handshake is already in progress (state is cs_HANDSHAKE
1274      *    or cs_RENEGOTIATE), do nothing and return
1275      *
1276      *  . if the socket is already closed, throw an Exception (internal error)
1277      *
1278      *  . otherwise (cs_START or cs_DATA), create the appropriate handshaker
1279      *    object, and advance the connection state (to cs_HANDSHAKE or
1280      *    cs_RENEGOTIATE, respectively).
1281      *
1282      * This method is called right after a new socket is created, when
1283      * starting renegotiation, or when changing client/ server mode of the
1284      * socket.
1285      */
1286     private void initHandshaker() {
1287         switch (connectionState) {
1288 
1289         //
1290         // Starting a new handshake.
1291         //
1292         case cs_START:
1293         case cs_DATA:
1294             break;
1295 
1296         //
1297         // We're already in the middle of a handshake.
1298         //
1299         case cs_HANDSHAKE:
1300         case cs_RENEGOTIATE:
1301             return;
1302 
1303         //
1304         // Anyone allowed to call this routine is required to
1305         // do so ONLY if the connection state is reasonable...
1306         //
1307         default:
1308             throw new IllegalStateException("Internal error");
1309         }
1310 
1311         // state is either cs_START or cs_DATA
1312         if (connectionState == cs_START) {
1313             connectionState = cs_HANDSHAKE;
1314         } else { // cs_DATA
1315             connectionState = cs_RENEGOTIATE;
1316         }
1317         if (roleIsServer) {
1318             handshaker = new ServerHandshaker(this, sslContext,
1319                     enabledProtocols, doClientAuth,
1320                     protocolVersion, connectionState == cs_HANDSHAKE,
1321                     secureRenegotiation, clientVerifyData, serverVerifyData);
1322             handshaker.setSNIMatchers(sniMatchers);
1323             handshaker.setUseCipherSuitesOrder(preferLocalCipherSuites);
1324         } else {
1325             handshaker = new ClientHandshaker(this, sslContext,
1326                     enabledProtocols,
1327                     protocolVersion, connectionState == cs_HANDSHAKE,
1328                     secureRenegotiation, clientVerifyData, serverVerifyData);
1329             handshaker.setSNIServerNames(serverNames);
1330         }
1331         handshaker.setMaximumPacketSize(maximumPacketSize);
1332         handshaker.setEnabledCipherSuites(enabledCipherSuites);
1333         handshaker.setEnableSessionCreation(enableSessionCreation);
1334     }
1335 
1336     /**
1337      * Synchronously perform the initial handshake.
1338      *
1339      * If the handshake is already in progress, this method blocks until it
1340      * is completed. If the initial handshake has already been completed,
1341      * it returns immediately.
1342      */
1343     private void performInitialHandshake() throws IOException {
1344         // use handshakeLock and the state check to make sure only
1345         // one thread performs the handshake
1346         synchronized (handshakeLock) {
1347             if (getConnectionState() == cs_HANDSHAKE) {
1348                 kickstartHandshake();
1349 
1350                 /*
1351                  * All initial handshaking goes through this operation
1352                  * until we have a valid SSL connection.
1353                  *
1354                  * Handle handshake messages only, need no application data.
1355                  */
1356                 readRecord(false);
1357             }
1358         }
1359     }
1360 
1361     /**
1362      * Starts an SSL handshake on this connection.
1363      */
1364     @Override
1365     public void startHandshake() throws IOException {
1366         // start an ssl handshake that could be resumed from timeout exception
1367         startHandshake(true);
1368     }
1369 
1370     /**
1371      * Starts an ssl handshake on this connection.
1372      *
1373      * @param resumable indicates the handshake process is resumable from a
1374      *          certain exception. If <code>resumable</code>, the socket will
1375      *          be reserved for exceptions like timeout; otherwise, the socket
1376      *          will be closed, no further communications could be done.
1377      */
1378     private void startHandshake(boolean resumable) throws IOException {
1379         checkWrite();
1380         try {
1381             if (getConnectionState() == cs_HANDSHAKE) {
1382                 // do initial handshake
1383                 performInitialHandshake();
1384             } else {
1385                 // start renegotiation
1386                 kickstartHandshake();
1387             }
1388         } catch (Exception e) {
1389             // shutdown and rethrow (wrapped) exception as appropriate
1390             handleException(e, resumable);
1391         }
1392     }
1393 
1394     /**
1395      * Kickstart the handshake if it is not already in progress.
1396      * This means:
1397      *
1398      *  . if handshaking is already underway, do nothing and return
1399      *
1400      *  . if the socket is not connected or already closed, throw an
1401      *    Exception.
1402      *
1403      *  . otherwise, call initHandshake() to initialize the handshaker
1404      *    object and progress the state. Then, send the initial
1405      *    handshaking message if appropriate (always on clients and
1406      *    on servers when renegotiating).
1407      */
1408     private synchronized void kickstartHandshake() throws IOException {
1409 
1410         switch (connectionState) {
1411 
1412         case cs_HANDSHAKE:
1413             // handshaker already setup, proceed
1414             break;
1415 
1416         case cs_DATA:
1417             if (!secureRenegotiation && !Handshaker.allowUnsafeRenegotiation) {
1418                 throw new SSLHandshakeException(
1419                         "Insecure renegotiation is not allowed");
1420             }
1421 
1422             if (!secureRenegotiation) {
1423                 if (debug != null && Debug.isOn("handshake")) {
1424                     System.out.println(
1425                         "Warning: Using insecure renegotiation");
1426                 }
1427             }
1428 
1429             // initialize the handshaker, move to cs_RENEGOTIATE
1430             initHandshaker();
1431             break;
1432 
1433         case cs_RENEGOTIATE:
1434             // handshaking already in progress, return
1435             return;
1436 
1437         /*
1438          * The only way to get a socket in the state is when
1439          * you have an unconnected socket.
1440          */
1441         case cs_START:
1442             throw new SocketException(
1443                 "handshaking attempted on unconnected socket");
1444 
1445         default:
1446             throw new SocketException("connection is closed");
1447         }
1448 
1449         //
1450         // Kickstart handshake state machine if we need to ...
1451         //
1452         // Note that handshaker.kickstart() writes the message
1453         // to its HandshakeOutStream, which calls back into
1454         // SSLSocketImpl.writeRecord() to send it.
1455         //
1456         if (!handshaker.activated()) {
1457              // prior to handshaking, activate the handshake
1458             if (connectionState == cs_RENEGOTIATE) {
1459                 // don't use SSLv2Hello when renegotiating
1460                 handshaker.activate(protocolVersion);
1461             } else {
1462                 handshaker.activate(null);
1463             }
1464 
1465             if (handshaker instanceof ClientHandshaker) {
1466                 // send client hello
1467                 handshaker.kickstart();
1468             } else {
1469                 if (connectionState == cs_HANDSHAKE) {
1470                     // initial handshake, no kickstart message to send
1471                 } else {
1472                     // we want to renegotiate, send hello request
1473                     handshaker.kickstart();
1474                 }
1475             }
1476         }
1477     }
1478 
1479     //
1480     // CLOSURE RELATED CALLS
1481     //
1482 
1483     /**
1484      * Return whether the socket has been explicitly closed by the application.
1485      */
1486     @Override
1487     public boolean isClosed() {
1488         return connectionState == cs_APP_CLOSED;
1489     }
1490 
1491     /**
1492      * Return whether we have reached end-of-file.
1493      *
1494      * If the socket is not connected, has been shutdown because of an error
1495      * or has been closed, throw an Exception.
1496      */
1497     boolean checkEOF() throws IOException {
1498         switch (getConnectionState()) {
1499         case cs_START:
1500             throw new SocketException("Socket is not connected");
1501 
1502         case cs_HANDSHAKE:
1503         case cs_DATA:
1504         case cs_RENEGOTIATE:
1505         case cs_SENT_CLOSE:
1506             return false;
1507 
1508         case cs_APP_CLOSED:
1509             throw new SocketException("Socket is closed");
1510 
1511         case cs_ERROR:
1512         case cs_CLOSED:
1513         default:
1514             // either closed because of error, or normal EOF
1515             if (closeReason == null) {
1516                 return true;
1517             }
1518             IOException e = new SSLException
1519                         ("Connection has been shutdown: " + closeReason);
1520             e.initCause(closeReason);
1521             throw e;
1522 
1523         }
1524     }
1525 
1526     /**
1527      * Check if we can write data to this socket. If not, throw an IOException.
1528      */
1529     void checkWrite() throws IOException {
1530         if (checkEOF() || (getConnectionState() == cs_SENT_CLOSE)) {
1531             // we are at EOF, write must throw Exception
1532             throw new SocketException("Connection closed by remote host");
1533         }
1534     }
1535 
1536     private void closeSocket() throws IOException {
1537 
1538         if ((debug != null) && Debug.isOn("ssl")) {
1539             System.out.println(Thread.currentThread().getName() +
1540                                                 ", called closeSocket()");
1541         }
1542 
1543         super.close();
1544     }
1545 
1546     private void closeSocket(boolean selfInitiated) throws IOException {
1547         if ((debug != null) && Debug.isOn("ssl")) {
1548             System.out.println(Thread.currentThread().getName() +
1549                 ", called closeSocket(" + selfInitiated + ")");
1550         }
1551         if (!isLayered() || autoClose) {
1552             super.close();
1553         } else if (selfInitiated) {
1554             // layered && non-autoclose
1555             // read close_notify alert to clear input stream
1556             waitForClose(false);
1557         }
1558     }
1559 
1560     /*
1561      * Closing the connection is tricky ... we can't officially close the
1562      * connection until we know the other end is ready to go away too,
1563      * and if ever the connection gets aborted we must forget session
1564      * state (it becomes invalid).
1565      */
1566 
1567     /**
1568      * Closes the SSL connection.  SSL includes an application level
1569      * shutdown handshake; you should close SSL sockets explicitly
1570      * rather than leaving it for finalization, so that your remote
1571      * peer does not experience a protocol error.
1572      */
1573     @Override
1574     public void close() throws IOException {
1575         if ((debug != null) && Debug.isOn("ssl")) {
1576             System.out.println(Thread.currentThread().getName() +
1577                                                     ", called close()");
1578         }
1579         closeInternal(true);  // caller is initiating close
1580 
1581         // Clearup the resources.
1582         try {
1583             synchronized (readLock) {
1584                 inputRecord.close();
1585             }
1586 
1587             writeLock.lock();
1588             try {
1589                 outputRecord.close();
1590             } finally {
1591                 writeLock.unlock();
1592             }
1593         } catch (IOException ioe) {
1594            // ignore
1595         }
1596 
1597         setConnectionState(cs_APP_CLOSED);
1598     }
1599 
1600     /**
1601      * Don't synchronize the whole method because waitForClose()
1602      * (which calls readRecord()) might be called.
1603      *
1604      * @param selfInitiated Indicates which party initiated the close.
1605      * If selfInitiated, this side is initiating a close; for layered and
1606      * non-autoclose socket, wait for close_notify response.
1607      * If !selfInitiated, peer sent close_notify; we reciprocate but
1608      * no need to wait for response.
1609      */
1610     private void closeInternal(boolean selfInitiated) throws IOException {
1611         if ((debug != null) && Debug.isOn("ssl")) {
1612             System.out.println(Thread.currentThread().getName() +
1613                         ", called closeInternal(" + selfInitiated + ")");
1614         }
1615 
1616         int state = getConnectionState();
1617         boolean closeSocketCalled = false;
1618         Throwable cachedThrowable = null;
1619         try {
1620             switch (state) {
1621             case cs_START:
1622                 // unconnected socket or handshaking has not been initialized
1623                 closeSocket(selfInitiated);
1624                 break;
1625 
1626             /*
1627              * If we're closing down due to error, we already sent (or else
1628              * received) the fatal alert ... no niceties, blow the connection
1629              * away as quickly as possible (even if we didn't allocate the
1630              * socket ourselves; it's unusable, regardless).
1631              */
1632             case cs_ERROR:
1633                 closeSocket();
1634                 break;
1635 
1636             /*
1637              * Sometimes close() gets called more than once.
1638              */
1639             case cs_CLOSED:
1640             case cs_APP_CLOSED:
1641                  break;
1642 
1643             /*
1644              * Otherwise we indicate clean termination.
1645              */
1646             // case cs_HANDSHAKE:
1647             // case cs_DATA:
1648             // case cs_RENEGOTIATE:
1649             // case cs_SENT_CLOSE:
1650             default:
1651                 synchronized (this) {
1652                     if (((state = getConnectionState()) == cs_CLOSED) ||
1653                        (state == cs_ERROR) || (state == cs_APP_CLOSED)) {
1654                         return;  // connection was closed while we waited
1655                     }
1656                     if (state != cs_SENT_CLOSE) {
1657                         try {
1658                             warning(Alerts.alert_close_notify);
1659                             connectionState = cs_SENT_CLOSE;
1660                         } catch (Throwable th) {
1661                             // we need to ensure socket is closed out
1662                             // if we encounter any errors.
1663                             connectionState = cs_ERROR;
1664                             // cache this for later use
1665                             cachedThrowable = th;
1666                             closeSocketCalled = true;
1667                             closeSocket(selfInitiated);
1668                         }
1669                     }
1670                 }
1671                 // If state was cs_SENT_CLOSE before, we don't do the actual
1672                 // closing since it is already in progress.
1673                 if (state == cs_SENT_CLOSE) {
1674                     if (debug != null && Debug.isOn("ssl")) {
1675                         System.out.println(Thread.currentThread().getName() +
1676                             ", close invoked again; state = " +
1677                             getConnectionState());
1678                     }
1679                     if (selfInitiated == false) {
1680                         // We were called because a close_notify message was
1681                         // received. This may be due to another thread calling
1682                         // read() or due to our call to waitForClose() below.
1683                         // In either case, just return.
1684                         return;
1685                     }
1686                     // Another thread explicitly called close(). We need to
1687                     // wait for the closing to complete before returning.
1688                     synchronized (this) {
1689                         while (connectionState < cs_CLOSED) {
1690                             try {
1691                                 this.wait();
1692                             } catch (InterruptedException e) {
1693                                 // ignore
1694                             }
1695                         }
1696                     }
1697                     if ((debug != null) && Debug.isOn("ssl")) {
1698                         System.out.println(Thread.currentThread().getName() +
1699                             ", after primary close; state = " +
1700                             getConnectionState());
1701                     }
1702                     return;
1703                 }
1704 
1705                 if (!closeSocketCalled)  {
1706                     closeSocketCalled = true;
1707                     closeSocket(selfInitiated);
1708                 }
1709 
1710                 break;
1711             }
1712         } finally {
1713             synchronized (this) {
1714                 // Upon exit from this method, the state is always >= cs_CLOSED
1715                 connectionState = (connectionState == cs_APP_CLOSED)
1716                                 ? cs_APP_CLOSED : cs_CLOSED;
1717                 // notify any threads waiting for the closing to finish
1718                 this.notifyAll();
1719             }
1720 
1721             if (cachedThrowable != null) {
1722                /*
1723                 * Rethrow the error to the calling method
1724                 * The Throwable caught can only be an Error or RuntimeException
1725                 */
1726                 if (cachedThrowable instanceof Error) {
1727                     throw (Error)cachedThrowable;
1728                 } else if (cachedThrowable instanceof RuntimeException) {
1729                     throw (RuntimeException)cachedThrowable;
1730                 }   // Otherwise, unlikely
1731             }
1732         }
1733     }
1734 
1735     /**
1736      * Reads a close_notify or a fatal alert from the input stream.
1737      * Keep reading records until we get a close_notify or until
1738      * the connection is otherwise closed.  The close_notify or alert
1739      * might be read by another reader,
1740      * which will then process the close and set the connection state.
1741      */
1742     void waitForClose(boolean rethrow) throws IOException {
1743         if (debug != null && Debug.isOn("ssl")) {
1744             System.out.println(Thread.currentThread().getName() +
1745                 ", waiting for close_notify or alert: state "
1746                 + getConnectionState());
1747         }
1748 
1749         try {
1750             int state;
1751 
1752             while (((state = getConnectionState()) != cs_CLOSED) &&
1753                    (state != cs_ERROR) && (state != cs_APP_CLOSED)) {
1754 
1755                 // Ask for app data and then throw it away
1756                 try {
1757                     readRecord(true);
1758                 } catch (SocketTimeoutException e) {
1759                     // if time out, ignore the exception and continue
1760                 }
1761             }
1762         } catch (IOException e) {
1763             if (debug != null && Debug.isOn("ssl")) {
1764                 System.out.println(Thread.currentThread().getName() +
1765                     ", Exception while waiting for close " +e);
1766             }
1767             if (rethrow) {
1768                 throw e; // pass exception up
1769             }
1770         }
1771     }
1772 
1773     //
1774     // EXCEPTION AND ALERT HANDLING
1775     //
1776 
1777     /**
1778      * Handle an exception. This method is called by top level exception
1779      * handlers (in read(), write()) to make sure we always shutdown the
1780      * connection correctly and do not pass runtime exception to the
1781      * application.
1782      */
1783     void handleException(Exception e) throws IOException {
1784         handleException(e, true);
1785     }
1786 
1787     /**
1788      * Handle an exception. This method is called by top level exception
1789      * handlers (in read(), write(), startHandshake()) to make sure we
1790      * always shutdown the connection correctly and do not pass runtime
1791      * exception to the application.
1792      *
1793      * This method never returns normally, it always throws an IOException.
1794      *
1795      * We first check if the socket has already been shutdown because of an
1796      * error. If so, we just rethrow the exception. If the socket has not
1797      * been shutdown, we sent a fatal alert and remember the exception.
1798      *
1799      * @param e the Exception
1800      * @param resumable indicates the caller process is resumable from the
1801      *          exception. If <code>resumable</code>, the socket will be
1802      *          reserved for exceptions like timeout; otherwise, the socket
1803      *          will be closed, no further communications could be done.
1804      */
1805     synchronized private void handleException(Exception e, boolean resumable)
1806         throws IOException {
1807         if ((debug != null) && Debug.isOn("ssl")) {
1808             System.out.println(Thread.currentThread().getName() +
1809                         ", handling exception: " + e.toString());
1810         }
1811 
1812         // don't close the Socket in case of timeouts or interrupts if
1813         // the process is resumable.
1814         if (e instanceof InterruptedIOException && resumable) {
1815             throw (IOException)e;
1816         }
1817 
1818         // if we've already shutdown because of an error,
1819         // there is nothing to do except rethrow the exception
1820         if (closeReason != null) {
1821             if (e instanceof IOException) { // includes SSLException
1822                 throw (IOException)e;
1823             } else {
1824                 // this is odd, not an IOException.
1825                 // normally, this should not happen
1826                 // if closeReason has been already been set
1827                 throw Alerts.getSSLException(Alerts.alert_internal_error, e,
1828                                       "Unexpected exception");
1829             }
1830         }
1831 
1832         // need to perform error shutdown
1833         boolean isSSLException = (e instanceof SSLException);
1834         if ((!isSSLException) && (e instanceof IOException)) {
1835             // IOException from the socket
1836             // this means the TCP connection is already dead
1837             // we call fatal just to set the error status
1838             try {
1839                 fatal(Alerts.alert_unexpected_message, e);
1840             } catch (IOException ee) {
1841                 // ignore (IOException wrapped in SSLException)
1842             }
1843             // rethrow original IOException
1844             throw (IOException)e;
1845         }
1846 
1847         // must be SSLException or RuntimeException
1848         byte alertType;
1849         if (isSSLException) {
1850             if (e instanceof SSLHandshakeException) {
1851                 alertType = Alerts.alert_handshake_failure;
1852             } else {
1853                 alertType = Alerts.alert_unexpected_message;
1854             }
1855         } else {
1856             alertType = Alerts.alert_internal_error;
1857         }
1858         fatal(alertType, e);
1859     }
1860 
1861     /*
1862      * Send a warning alert.
1863      */
1864     void warning(byte description) {
1865         sendAlert(Alerts.alert_warning, description);
1866     }
1867 
1868     synchronized void fatal(byte description, String diagnostic)
1869             throws IOException {
1870         fatal(description, diagnostic, null);
1871     }
1872 
1873     synchronized void fatal(byte description, Throwable cause)
1874             throws IOException {
1875         fatal(description, null, cause);
1876     }
1877 
1878     /*
1879      * Send a fatal alert, and throw an exception so that callers will
1880      * need to stand on their heads to accidentally continue processing.
1881      */
1882     synchronized void fatal(byte description, String diagnostic,
1883             Throwable cause) throws IOException {
1884 
1885         // Be care of deadlock. Please don't synchronize readLock.
1886         try {
1887             inputRecord.close();
1888         } catch (IOException ioe) {
1889             // ignore
1890         }
1891 
1892         sess.invalidate();
1893         if (handshakeSession != null) {
1894             handshakeSession.invalidate();
1895         }
1896 
1897         int oldState = connectionState;
1898         if (connectionState < cs_ERROR) {
1899             connectionState = cs_ERROR;
1900         }
1901 
1902         /*
1903          * Has there been an error received yet?  If not, remember it.
1904          * By RFC 2246, we don't bother waiting for a response.
1905          * Fatal errors require immediate shutdown.
1906          */
1907         if (closeReason == null) {
1908             /*
1909              * Try to clear the kernel buffer to avoid TCP connection resets.
1910              */
1911             if (oldState == cs_HANDSHAKE) {
1912                 sockInput.skip(sockInput.available());
1913             }
1914 
1915             // If the description equals -1, the alert won't be sent to peer.
1916             if (description != -1) {
1917                 sendAlert(Alerts.alert_fatal, description);
1918             }
1919             if (cause instanceof SSLException) { // only true if != null
1920                 closeReason = (SSLException)cause;
1921             } else {
1922                 closeReason =
1923                     Alerts.getSSLException(description, cause, diagnostic);
1924             }
1925         }
1926 
1927         /*
1928          * Clean up our side.
1929          */
1930         closeSocket();
1931 
1932         // Be care of deadlock. Please don't synchronize writeLock.
1933         try {
1934             outputRecord.close();
1935         } catch (IOException ioe) {
1936             // ignore
1937         }
1938 
1939         throw closeReason;
1940     }
1941 
1942 
1943     /*
1944      * Process an incoming alert ... caller must already have synchronized
1945      * access to "this".
1946      */
1947     private void recvAlert(ByteBuffer fragment) throws IOException {
1948         byte level = fragment.get();
1949         byte description = fragment.get();
1950 
1951         if (description == -1) { // check for short message
1952             fatal(Alerts.alert_illegal_parameter, "Short alert message");
1953         }
1954 
1955         if (debug != null && (Debug.isOn("record") ||
1956                 Debug.isOn("handshake"))) {
1957             synchronized (System.out) {
1958                 System.out.print(Thread.currentThread().getName());
1959                 System.out.print(", RECV " + protocolVersion + " ALERT:  ");
1960                 if (level == Alerts.alert_fatal) {
1961                     System.out.print("fatal, ");
1962                 } else if (level == Alerts.alert_warning) {
1963                     System.out.print("warning, ");
1964                 } else {
1965                     System.out.print("<level " + (0x0ff & level) + ">, ");
1966                 }
1967                 System.out.println(Alerts.alertDescription(description));
1968             }
1969         }
1970 
1971         if (level == Alerts.alert_warning) {
1972             if (description == Alerts.alert_close_notify) {
1973                 if (connectionState == cs_HANDSHAKE) {
1974                     fatal(Alerts.alert_unexpected_message,
1975                                 "Received close_notify during handshake");
1976                 } else {
1977                     closeInternal(false);  // reply to close
1978                 }
1979             } else {
1980 
1981                 //
1982                 // The other legal warnings relate to certificates,
1983                 // e.g. no_certificate, bad_certificate, etc; these
1984                 // are important to the handshaking code, which can
1985                 // also handle illegal protocol alerts if needed.
1986                 //
1987                 if (handshaker != null) {
1988                     handshaker.handshakeAlert(description);
1989                 }
1990             }
1991         } else { // fatal or unknown level
1992             String reason = "Received fatal alert: "
1993                 + Alerts.alertDescription(description);
1994             if (closeReason == null) {
1995                 closeReason = Alerts.getSSLException(description, reason);
1996             }
1997             fatal(Alerts.alert_unexpected_message, reason);
1998         }
1999     }
2000 
2001 
2002     /*
2003      * Emit alerts.  Caller must have synchronized with "this".
2004      */
2005     private void sendAlert(byte level, byte description) {
2006         // the connectionState cannot be cs_START
2007         if (connectionState >= cs_SENT_CLOSE) {
2008             return;
2009         }
2010 
2011         // For initial handshaking, don't send alert message to peer if
2012         // handshaker has not started.
2013         //
2014         // Shall we send an fatal alter to terminate the connection gracefully?
2015         if (connectionState <= cs_HANDSHAKE &&
2016                 (handshaker == null || !handshaker.started() ||
2017                         !handshaker.activated())) {
2018             return;
2019         }
2020 
2021         boolean useDebug = debug != null && Debug.isOn("ssl");
2022         if (useDebug) {
2023             synchronized (System.out) {
2024                 System.out.print(Thread.currentThread().getName());
2025                 System.out.print(", SEND " + protocolVersion + " ALERT:  ");
2026                 if (level == Alerts.alert_fatal) {
2027                     System.out.print("fatal, ");
2028                 } else if (level == Alerts.alert_warning) {
2029                     System.out.print("warning, ");
2030                 } else {
2031                     System.out.print("<level = " + (0x0ff & level) + ">, ");
2032                 }
2033                 System.out.println("description = "
2034                         + Alerts.alertDescription(description));
2035             }
2036         }
2037 
2038         try {
2039             writeAlert(level, description);
2040         } catch (IOException e) {
2041             if (useDebug) {
2042                 System.out.println(Thread.currentThread().getName() +
2043                     ", Exception sending alert: " + e);
2044             }
2045         }
2046     }
2047 
2048     //
2049     // VARIOUS OTHER METHODS
2050     //
2051 
2052     // used by Handshaker
2053     void changeWriteCiphers() throws IOException {
2054         Authenticator writeAuthenticator;
2055         CipherBox writeCipher;
2056         try {
2057             writeCipher = handshaker.newWriteCipher();
2058             writeAuthenticator = handshaker.newWriteAuthenticator();
2059         } catch (GeneralSecurityException e) {
2060             // "can't happen"
2061             throw new SSLException("Algorithm missing:  ", e);
2062         }
2063         outputRecord.changeWriteCiphers(writeAuthenticator, writeCipher);
2064     }
2065 
2066     /*
2067      * Updates the SSL version associated with this connection.
2068      * Called from Handshaker once it has determined the negotiated version.
2069      */
2070     synchronized void setVersion(ProtocolVersion protocolVersion) {
2071         this.protocolVersion = protocolVersion;
2072         outputRecord.setVersion(protocolVersion);
2073     }
2074 
2075     synchronized String getHost() {
2076         // Note that the host may be null or empty for localhost.
2077         if (host == null || host.length() == 0) {
2078             if (!trustNameService) {
2079                 // If the local name service is not trustworthy, reverse host
2080                 // name resolution should not be performed for endpoint
2081                 // identification.  Use the application original specified
2082                 // hostname or IP address instead.
2083                 host = getOriginalHostname(getInetAddress());
2084             } else {
2085                 host = getInetAddress().getHostName();
2086             }
2087         }
2088 
2089         return host;
2090     }
2091 
2092     /*
2093      * Get the original application specified hostname.
2094      */
2095     private static String getOriginalHostname(InetAddress inetAddress) {
2096         /*
2097          * Get the original hostname via jdk.internal.misc.SharedSecrets.
2098          */
2099         JavaNetInetAddressAccess jna = SharedSecrets.getJavaNetInetAddressAccess();
2100         String originalHostname = jna.getOriginalHostName(inetAddress);
2101 
2102         /*
2103          * If no application specified hostname, use the IP address.
2104          */
2105         if (originalHostname == null || originalHostname.length() == 0) {
2106             originalHostname = inetAddress.getHostAddress();
2107         }
2108 
2109         return originalHostname;
2110     }
2111 
2112     // ONLY used by HttpsClient to setup the URI specified hostname
2113     //
2114     // Please NOTE that this method MUST be called before calling to
2115     // SSLSocket.setSSLParameters(). Otherwise, the {@code host} parameter
2116     // may override SNIHostName in the customized server name indication.
2117     synchronized public void setHost(String host) {
2118         this.host = host;
2119         this.serverNames =
2120             Utilities.addToSNIServerNameList(this.serverNames, this.host);
2121     }
2122 
2123     /**
2124      * Gets an input stream to read from the peer on the other side.
2125      * Data read from this stream was always integrity protected in
2126      * transit, and will usually have been confidentiality protected.
2127      */
2128     @Override
2129     synchronized public InputStream getInputStream() throws IOException {
2130         if (isClosed()) {
2131             throw new SocketException("Socket is closed");
2132         }
2133 
2134         /*
2135          * Can't call isConnected() here, because the Handshakers
2136          * do some initialization before we actually connect.
2137          */
2138         if (connectionState == cs_START) {
2139             throw new SocketException("Socket is not connected");
2140         }
2141 
2142         return input;
2143     }
2144 
2145     /**
2146      * Gets an output stream to write to the peer on the other side.
2147      * Data written on this stream is always integrity protected, and
2148      * will usually be confidentiality protected.
2149      */
2150     @Override
2151     synchronized public OutputStream getOutputStream() throws IOException {
2152         if (isClosed()) {
2153             throw new SocketException("Socket is closed");
2154         }
2155 
2156         /*
2157          * Can't call isConnected() here, because the Handshakers
2158          * do some initialization before we actually connect.
2159          */
2160         if (connectionState == cs_START) {
2161             throw new SocketException("Socket is not connected");
2162         }
2163 
2164         return output;
2165     }
2166 
2167     /**
2168      * Returns the SSL Session in use by this connection.  These can
2169      * be long lived, and frequently correspond to an entire login session
2170      * for some user.
2171      */
2172     @Override
2173     public SSLSession getSession() {
2174         /*
2175          * Force a synchronous handshake, if appropriate.
2176          */
2177         if (getConnectionState() == cs_HANDSHAKE) {
2178             try {
2179                 // start handshaking, if failed, the connection will be closed.
2180                 startHandshake(false);
2181             } catch (IOException e) {
2182                 // handshake failed. log and return a nullSession
2183                 if (debug != null && Debug.isOn("handshake")) {
2184                       System.out.println(Thread.currentThread().getName() +
2185                           ", IOException in getSession():  " + e);
2186                 }
2187             }
2188         }
2189         synchronized (this) {
2190             return sess;
2191         }
2192     }
2193 
2194     @Override
2195     synchronized public SSLSession getHandshakeSession() {
2196         return handshakeSession;
2197     }
2198 
2199     synchronized void setHandshakeSession(SSLSessionImpl session) {
2200         // update the fragment size, which may be negotiated during handshaking
2201         inputRecord.changeFragmentSize(session.getNegotiatedMaxFragSize());
2202         outputRecord.changeFragmentSize(session.getNegotiatedMaxFragSize());
2203 
2204         handshakeSession = session;
2205     }
2206 
2207     /**
2208      * Controls whether new connections may cause creation of new SSL
2209      * sessions.
2210      *
2211      * As long as handshaking has not started, we can change
2212      * whether we enable session creations.  Otherwise,
2213      * we will need to wait for the next handshake.
2214      */
2215     @Override
2216     synchronized public void setEnableSessionCreation(boolean flag) {
2217         enableSessionCreation = flag;
2218 
2219         if ((handshaker != null) && !handshaker.activated()) {
2220             handshaker.setEnableSessionCreation(enableSessionCreation);
2221         }
2222     }
2223 
2224     /**
2225      * Returns true if new connections may cause creation of new SSL
2226      * sessions.
2227      */
2228     @Override
2229     synchronized public boolean getEnableSessionCreation() {
2230         return enableSessionCreation;
2231     }
2232 
2233 
2234     /**
2235      * Sets the flag controlling whether a server mode socket
2236      * *REQUIRES* SSL client authentication.
2237      *
2238      * As long as handshaking has not started, we can change
2239      * whether client authentication is needed.  Otherwise,
2240      * we will need to wait for the next handshake.
2241      */
2242     @Override
2243     synchronized public void setNeedClientAuth(boolean flag) {
2244         doClientAuth = (flag ? ClientAuthType.CLIENT_AUTH_REQUIRED :
2245                 ClientAuthType.CLIENT_AUTH_NONE);
2246 
2247         if ((handshaker != null) &&
2248                 (handshaker instanceof ServerHandshaker) &&
2249                 !handshaker.activated()) {
2250             ((ServerHandshaker) handshaker).setClientAuth(doClientAuth);
2251         }
2252     }
2253 
2254     @Override
2255     synchronized public boolean getNeedClientAuth() {
2256         return (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED);
2257     }
2258 
2259     /**
2260      * Sets the flag controlling whether a server mode socket
2261      * *REQUESTS* SSL client authentication.
2262      *
2263      * As long as handshaking has not started, we can change
2264      * whether client authentication is requested.  Otherwise,
2265      * we will need to wait for the next handshake.
2266      */
2267     @Override
2268     synchronized public void setWantClientAuth(boolean flag) {
2269         doClientAuth = (flag ? ClientAuthType.CLIENT_AUTH_REQUESTED :
2270                 ClientAuthType.CLIENT_AUTH_NONE);
2271 
2272         if ((handshaker != null) &&
2273                 (handshaker instanceof ServerHandshaker) &&
2274                 !handshaker.activated()) {
2275             ((ServerHandshaker) handshaker).setClientAuth(doClientAuth);
2276         }
2277     }
2278 
2279     @Override
2280     synchronized public boolean getWantClientAuth() {
2281         return (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUESTED);
2282     }
2283 
2284 
2285     /**
2286      * Sets the flag controlling whether the socket is in SSL
2287      * client or server mode.  Must be called before any SSL
2288      * traffic has started.
2289      */
2290     @Override
2291     @SuppressWarnings("fallthrough")
2292     synchronized public void setUseClientMode(boolean flag) {
2293         switch (connectionState) {
2294 
2295         case cs_START:
2296             /*
2297              * If we need to change the socket mode and the enabled
2298              * protocols and cipher suites haven't specifically been
2299              * set by the user, change them to the corresponding
2300              * default ones.
2301              */
2302             if (roleIsServer != (!flag)) {
2303                 if (sslContext.isDefaultProtocolList(enabledProtocols)) {
2304                     enabledProtocols =
2305                             sslContext.getDefaultProtocolList(!flag);
2306                 }
2307 
2308                 if (sslContext.isDefaultCipherSuiteList(enabledCipherSuites)) {
2309                     enabledCipherSuites =
2310                             sslContext.getDefaultCipherSuiteList(!flag);
2311                 }
2312             }
2313 
2314             roleIsServer = !flag;
2315             break;
2316 
2317         case cs_HANDSHAKE:
2318             /*
2319              * If we have a handshaker, but haven't started
2320              * SSL traffic, we can throw away our current
2321              * handshaker, and start from scratch.  Don't
2322              * need to call doneConnect() again, we already
2323              * have the streams.
2324              */
2325             assert(handshaker != null);
2326             if (!handshaker.activated()) {
2327                 /*
2328                  * If we need to change the socket mode and the enabled
2329                  * protocols and cipher suites haven't specifically been
2330                  * set by the user, change them to the corresponding
2331                  * default ones.
2332                  */
2333                 if (roleIsServer != (!flag)) {
2334                     if (sslContext.isDefaultProtocolList(enabledProtocols)) {
2335                         enabledProtocols =
2336                                 sslContext.getDefaultProtocolList(!flag);
2337                     }
2338 
2339                     if (sslContext.isDefaultCipherSuiteList(
2340                                                     enabledCipherSuites)) {
2341                         enabledCipherSuites =
2342                             sslContext.getDefaultCipherSuiteList(!flag);
2343                     }
2344                 }
2345 
2346                 roleIsServer = !flag;
2347                 connectionState = cs_START;
2348                 initHandshaker();
2349                 break;
2350             }
2351 
2352             // If handshake has started, that's an error.  Fall through...
2353 
2354         default:
2355             if (debug != null && Debug.isOn("ssl")) {
2356                 System.out.println(Thread.currentThread().getName() +
2357                     ", setUseClientMode() invoked in state = " +
2358                     connectionState);
2359             }
2360             throw new IllegalArgumentException(
2361                 "Cannot change mode after SSL traffic has started");
2362         }
2363     }
2364 
2365     @Override
2366     synchronized public boolean getUseClientMode() {
2367         return !roleIsServer;
2368     }
2369 
2370 
2371     /**
2372      * Returns the names of the cipher suites which could be enabled for use
2373      * on an SSL connection.  Normally, only a subset of these will actually
2374      * be enabled by default, since this list may include cipher suites which
2375      * do not support the mutual authentication of servers and clients, or
2376      * which do not protect data confidentiality.  Servers may also need
2377      * certain kinds of certificates to use certain cipher suites.
2378      *
2379      * @return an array of cipher suite names
2380      */
2381     @Override
2382     public String[] getSupportedCipherSuites() {
2383         return sslContext.getSupportedCipherSuiteList().toStringArray();
2384     }
2385 
2386     /**
2387      * Controls which particular cipher suites are enabled for use on
2388      * this connection.  The cipher suites must have been listed by
2389      * getCipherSuites() as being supported.  Even if a suite has been
2390      * enabled, it might never be used if no peer supports it or the
2391      * requisite certificates (and private keys) are not available.
2392      *
2393      * @param suites Names of all the cipher suites to enable.
2394      */
2395     @Override
2396     synchronized public void setEnabledCipherSuites(String[] suites) {
2397         enabledCipherSuites = new CipherSuiteList(suites);
2398         if ((handshaker != null) && !handshaker.activated()) {
2399             handshaker.setEnabledCipherSuites(enabledCipherSuites);
2400         }
2401     }
2402 
2403     /**
2404      * Returns the names of the SSL cipher suites which are currently enabled
2405      * for use on this connection.  When an SSL socket is first created,
2406      * all enabled cipher suites <em>(a)</em> protect data confidentiality,
2407      * by traffic encryption, and <em>(b)</em> can mutually authenticate
2408      * both clients and servers.  Thus, in some environments, this value
2409      * might be empty.
2410      *
2411      * @return an array of cipher suite names
2412      */
2413     @Override
2414     synchronized public String[] getEnabledCipherSuites() {
2415         return enabledCipherSuites.toStringArray();
2416     }
2417 
2418 
2419     /**
2420      * Returns the protocols that are supported by this implementation.
2421      * A subset of the supported protocols may be enabled for this connection
2422      * @return an array of protocol names.
2423      */
2424     @Override
2425     public String[] getSupportedProtocols() {
2426         return sslContext.getSuportedProtocolList().toStringArray();
2427     }
2428 
2429     /**
2430      * Controls which protocols are enabled for use on
2431      * this connection.  The protocols must have been listed by
2432      * getSupportedProtocols() as being supported.
2433      *
2434      * @param protocols protocols to enable.
2435      * @exception IllegalArgumentException when one of the protocols
2436      *  named by the parameter is not supported.
2437      */
2438     @Override
2439     synchronized public void setEnabledProtocols(String[] protocols) {
2440         enabledProtocols = new ProtocolList(protocols);
2441         if ((handshaker != null) && !handshaker.activated()) {
2442             handshaker.setEnabledProtocols(enabledProtocols);
2443         }
2444     }
2445 
2446     @Override
2447     synchronized public String[] getEnabledProtocols() {
2448         return enabledProtocols.toStringArray();
2449     }
2450 
2451     /**
2452      * Assigns the socket timeout.
2453      * @see java.net.Socket#setSoTimeout
2454      */
2455     @Override
2456     public void setSoTimeout(int timeout) throws SocketException {
2457         if ((debug != null) && Debug.isOn("ssl")) {
2458             System.out.println(Thread.currentThread().getName() +
2459                 ", setSoTimeout(" + timeout + ") called");
2460         }
2461 
2462         super.setSoTimeout(timeout);
2463     }
2464 
2465     /**
2466      * Registers an event listener to receive notifications that an
2467      * SSL handshake has completed on this connection.
2468      */
2469     @Override
2470     public synchronized void addHandshakeCompletedListener(
2471             HandshakeCompletedListener listener) {
2472         if (listener == null) {
2473             throw new IllegalArgumentException("listener is null");
2474         }
2475         if (handshakeListeners == null) {
2476             handshakeListeners = new
2477                 HashMap<HandshakeCompletedListener, AccessControlContext>(4);
2478         }
2479         handshakeListeners.put(listener, AccessController.getContext());
2480     }
2481 
2482 
2483     /**
2484      * Removes a previously registered handshake completion listener.
2485      */
2486     @Override
2487     public synchronized void removeHandshakeCompletedListener(
2488             HandshakeCompletedListener listener) {
2489         if (handshakeListeners == null) {
2490             throw new IllegalArgumentException("no listeners");
2491         }
2492         if (handshakeListeners.remove(listener) == null) {
2493             throw new IllegalArgumentException("listener not registered");
2494         }
2495         if (handshakeListeners.isEmpty()) {
2496             handshakeListeners = null;
2497         }
2498     }
2499 
2500     /**
2501      * Returns the SSLParameters in effect for this SSLSocket.
2502      */
2503     @Override
2504     synchronized public SSLParameters getSSLParameters() {
2505         SSLParameters params = super.getSSLParameters();
2506 
2507         // the super implementation does not handle the following parameters
2508         params.setEndpointIdentificationAlgorithm(identificationProtocol);
2509         params.setAlgorithmConstraints(algorithmConstraints);
2510         params.setSNIMatchers(sniMatchers);
2511         params.setServerNames(serverNames);
2512         params.setUseCipherSuitesOrder(preferLocalCipherSuites);
2513         params.setMaximumPacketSize(maximumPacketSize);
2514 
2515         // DTLS handshake retransmissions parameter does not apply here.
2516 
2517         return params;
2518     }
2519 
2520     /**
2521      * Applies SSLParameters to this socket.
2522      */
2523     @Override
2524     synchronized public void setSSLParameters(SSLParameters params) {
2525         super.setSSLParameters(params);
2526 
2527         // the super implementation does not handle the following parameters
2528         identificationProtocol = params.getEndpointIdentificationAlgorithm();
2529         algorithmConstraints = params.getAlgorithmConstraints();
2530         preferLocalCipherSuites = params.getUseCipherSuitesOrder();
2531         maximumPacketSize = params.getMaximumPacketSize();
2532 
2533         // DTLS handshake retransmissions parameter does not apply here.
2534 
2535         if (maximumPacketSize != 0) {
2536             outputRecord.changePacketSize(maximumPacketSize);
2537         } else {
2538             // use the implicit maximum packet size.
2539             maximumPacketSize = outputRecord.getMaxPacketSize();
2540         }
2541 
2542         List<SNIServerName> sniNames = params.getServerNames();
2543         if (sniNames != null) {
2544             serverNames = sniNames;
2545         }
2546 
2547         Collection<SNIMatcher> matchers = params.getSNIMatchers();
2548         if (matchers != null) {
2549             sniMatchers = matchers;
2550         }
2551 
2552         if ((handshaker != null) && !handshaker.started()) {
2553             handshaker.setIdentificationProtocol(identificationProtocol);
2554             handshaker.setAlgorithmConstraints(algorithmConstraints);
2555             handshaker.setMaximumPacketSize(maximumPacketSize);
2556             if (roleIsServer) {
2557                 handshaker.setSNIMatchers(sniMatchers);
2558                 handshaker.setUseCipherSuitesOrder(preferLocalCipherSuites);
2559             } else {
2560                 handshaker.setSNIServerNames(serverNames);
2561             }
2562         }
2563     }
2564 
2565     //
2566     // We allocate a separate thread to deliver handshake completion
2567     // events.  This ensures that the notifications don't block the
2568     // protocol state machine.
2569     //
2570     private static class NotifyHandshake implements Runnable {
2571 
2572         private Set<Map.Entry<HandshakeCompletedListener,AccessControlContext>>
2573                 targets;        // who gets notified
2574         private HandshakeCompletedEvent event;          // the notification
2575 
2576         NotifyHandshake(
2577             Set<Map.Entry<HandshakeCompletedListener,AccessControlContext>>
2578             entrySet, HandshakeCompletedEvent e) {
2579 
2580             targets = new HashSet<>(entrySet);          // clone the entry set
2581             event = e;
2582         }
2583 
2584         @Override
2585         public void run() {
2586             // Don't need to synchronize, as it only runs in one thread.
2587             for (Map.Entry<HandshakeCompletedListener,AccessControlContext>
2588                 entry : targets) {
2589 
2590                 final HandshakeCompletedListener l = entry.getKey();
2591                 AccessControlContext acc = entry.getValue();
2592                 AccessController.doPrivileged(new PrivilegedAction<Void>() {
2593                     @Override
2594                     public Void run() {
2595                         l.handshakeCompleted(event);
2596                         return null;
2597                     }
2598                 }, acc);
2599             }
2600         }
2601     }
2602 
2603     /**
2604      * Returns a printable representation of this end of the connection.
2605      */
2606     @Override
2607     public String toString() {
2608         StringBuilder retval = new StringBuilder(80);
2609 
2610         retval.append(Integer.toHexString(hashCode()));
2611         retval.append("[");
2612         retval.append(sess.getCipherSuite());
2613         retval.append(": ");
2614 
2615         retval.append(super.toString());
2616         retval.append("]");
2617 
2618         return retval.toString();
2619     }
2620 }