1 /*
2 * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.ssl;
27
28 import java.io.*;
29 import java.nio.*;
30 import java.util.*;
31 import java.security.*;
32
33 import javax.crypto.BadPaddingException;
34
35 import javax.net.ssl.*;
36 import javax.net.ssl.SSLEngineResult.*;
37
38 /**
39 * Implementation of an non-blocking SSLEngine.
40 *
41 * *Currently*, the SSLEngine code exists in parallel with the current
42 * SSLSocket. As such, the current implementation is using legacy code
43 * with many of the same abstractions. However, it varies in many
44 * areas, most dramatically in the IO handling.
45 *
46 * There are three main I/O threads that can be existing in parallel:
47 * wrap(), unwrap(), and beginHandshake(). We are encouraging users to
48 * not call multiple instances of wrap or unwrap, because the data could
49 * appear to flow out of the SSLEngine in a non-sequential order. We
50 * take all steps we can to at least make sure the ordering remains
51 * consistent, but once the calls returns, anything can happen. For
52 * example, thread1 and thread2 both call wrap, thread1 gets the first
53 * packet, thread2 gets the second packet, but thread2 gets control back
54 * before thread1, and sends the data. The receiving side would see an
55 * out-of-order error.
56 *
57 * @author Brad Wetmore
58 */
59 public final class SSLEngineImpl extends SSLEngine {
60
61 //
62 // Fields and global comments
63 //
64
65 /*
66 * There's a state machine associated with each connection, which
67 * among other roles serves to negotiate session changes.
68 *
69 * - START with constructor, until the TCP connection's around.
70 * - HANDSHAKE picks session parameters before allowing traffic.
71 * There are many substates due to sequencing requirements
72 * for handshake messages.
73 * - DATA may be transmitted.
74 * - RENEGOTIATE state allows concurrent data and handshaking
75 * traffic ("same" substates as HANDSHAKE), and terminates
76 * in selection of new session (and connection) parameters
77 * - ERROR state immediately precedes abortive disconnect.
78 * - CLOSED when one side closes down, used to start the shutdown
79 * process. SSL connection objects are not reused.
80 *
81 * State affects what SSL record types may legally be sent:
82 *
83 * - Handshake ... only in HANDSHAKE and RENEGOTIATE states
84 * - App Data ... only in DATA and RENEGOTIATE states
85 * - Alert ... in HANDSHAKE, DATA, RENEGOTIATE
86 *
87 * Re what may be received: same as what may be sent, except that
88 * HandshakeRequest handshaking messages can come from servers even
89 * in the application data state, to request entry to RENEGOTIATE.
90 *
91 * The state machine within HANDSHAKE and RENEGOTIATE states controls
92 * the pending session, not the connection state, until the change
93 * cipher spec and "Finished" handshake messages are processed and
94 * make the "new" session become the current one.
95 *
96 * NOTE: details of the SMs always need to be nailed down better.
97 * The text above illustrates the core ideas.
98 *
99 * +---->-------+------>--------->-------+
100 * | | |
101 * <-----< ^ ^ <-----< |
102 *START>----->HANDSHAKE>----->DATA>----->RENEGOTIATE |
103 * v v v |
104 * | | | |
105 * +------------+---------------+ |
106 * | |
107 * v |
108 * ERROR>------>----->CLOSED<--------<----+
109 *
110 * ALSO, note that the purpose of handshaking (renegotiation is
111 * included) is to assign a different, and perhaps new, session to
112 * the connection. The SSLv3 spec is a bit confusing on that new
113 * protocol feature.
114 */
115 private int connectionState;
116
117 private static final int cs_START = 0;
118 private static final int cs_HANDSHAKE = 1;
119 private static final int cs_DATA = 2;
120 private static final int cs_RENEGOTIATE = 3;
121 private static final int cs_ERROR = 4;
122 private static final int cs_CLOSED = 6;
123
124 /*
125 * Once we're in state cs_CLOSED, we can continue to
126 * wrap/unwrap until we finish sending/receiving the messages
127 * for close_notify.
128 */
129 private boolean inboundDone = false;
130 private boolean outboundDone = false;
131
132 /*
133 * The authentication context holds all information used to establish
134 * who this end of the connection is (certificate chains, private keys,
135 * etc) and who is trusted (e.g. as CAs or websites).
136 */
137 private SSLContextImpl sslContext;
138
139 /*
140 * This connection is one of (potentially) many associated with
141 * any given session. The output of the handshake protocol is a
142 * new session ... although all the protocol description talks
143 * about changing the cipher spec (and it does change), in fact
144 * that's incidental since it's done by changing everything that
145 * is associated with a session at the same time. (TLS/IETF may
146 * change that to add client authentication w/o new key exchg.)
147 */
148 private Handshaker handshaker;
149 private SSLSessionImpl sess;
150 private volatile SSLSessionImpl handshakeSession;
151
152 /*
153 * Flag indicating if the next record we receive MUST be a Finished
154 * message. Temporarily set during the handshake to ensure that
155 * a change cipher spec message is followed by a finished message.
156 */
157 private boolean expectingFinished;
158
159
160 /*
161 * If someone tries to closeInbound() (say at End-Of-Stream)
162 * our engine having received a close_notify, we need to
163 * notify the app that we may have a truncation attack underway.
164 */
165 private boolean recvCN;
166
167 /*
168 * For improved diagnostics, we detail connection closure
169 * If the engine is closed (connectionState >= cs_ERROR),
170 * closeReason != null indicates if the engine was closed
171 * because of an error or because or normal shutdown.
172 */
173 private SSLException closeReason;
174
175 /*
176 * Per-connection private state that doesn't change when the
177 * session is changed.
178 */
179 private ClientAuthType doClientAuth =
180 ClientAuthType.CLIENT_AUTH_NONE;
181 private boolean enableSessionCreation = true;
182 InputRecord inputRecord;
183 OutputRecord outputRecord;
184 private AccessControlContext acc;
185
186 // The cipher suites enabled for use on this connection.
187 private CipherSuiteList enabledCipherSuites;
188
189 // the endpoint identification protocol
190 private String identificationProtocol = null;
191
192 // The cryptographic algorithm constraints
193 private AlgorithmConstraints algorithmConstraints = null;
194
195 // The server name indication and matchers
196 List<SNIServerName> serverNames =
197 Collections.<SNIServerName>emptyList();
198 Collection<SNIMatcher> sniMatchers =
199 Collections.<SNIMatcher>emptyList();
200
201 // Configured application protocol values
202 String[] applicationProtocols = new String[0];
203
204 // Negotiated application protocol value.
205 //
206 // The value under negotiation will be obtained from handshaker.
207 String applicationProtocol = null;
208
209 // Have we been told whether we're client or server?
210 private boolean serverModeSet = false;
211 private boolean roleIsServer;
212
213 /*
214 * The protocol versions enabled for use on this connection.
215 *
216 * Note: we support a pseudo protocol called SSLv2Hello which when
217 * set will result in an SSL v2 Hello being sent with SSL (version 3.0)
218 * or TLS (version 3.1, 3.2, etc.) version info.
219 */
220 private ProtocolList enabledProtocols;
221
222 /*
223 * The SSL version associated with this connection.
224 */
225 private ProtocolVersion protocolVersion;
226
227 /*
228 * security parameters for secure renegotiation.
229 */
230 private boolean secureRenegotiation;
231 private byte[] clientVerifyData;
232 private byte[] serverVerifyData;
233
234 /*
235 * READ ME * READ ME * READ ME * READ ME * READ ME * READ ME *
236 * IMPORTANT STUFF TO UNDERSTANDING THE SYNCHRONIZATION ISSUES.
237 * READ ME * READ ME * READ ME * READ ME * READ ME * READ ME *
238 *
239 * There are several locks here.
240 *
241 * The primary lock is the per-instance lock used by
242 * synchronized(this) and the synchronized methods. It controls all
243 * access to things such as the connection state and variables which
244 * affect handshaking. If we are inside a synchronized method, we
245 * can access the state directly, otherwise, we must use the
246 * synchronized equivalents.
247 *
248 * Note that we must never acquire the <code>this</code> lock after
249 * <code>writeLock</code> or run the risk of deadlock.
250 *
251 * Grab some coffee, and be careful with any code changes.
252 */
253 private Object wrapLock;
254 private Object unwrapLock;
255 Object writeLock;
256
257 /*
258 * Whether local cipher suites preference in server side should be
259 * honored during handshaking?
260 */
261 private boolean preferLocalCipherSuites = false;
262
263 /*
264 * whether DTLS handshake retransmissions should be enabled?
265 */
266 private boolean enableRetransmissions = false;
267
268 /*
269 * The maximum expected network packet size for SSL/TLS/DTLS records.
270 */
271 private int maximumPacketSize = 0;
272
273 /*
274 * Is this an instance for Datagram Transport Layer Security (DTLS)?
275 */
276 private final boolean isDTLS;
277
278 /*
279 * Class and subclass dynamic debugging support
280 */
281 private static final Debug debug = Debug.getInstance("ssl");
282
283 //
284 // Initialization/Constructors
285 //
286
287 /**
288 * Constructor for an SSLEngine from SSLContext, without
289 * host/port hints. This Engine will not be able to cache
290 * sessions, but must renegotiate everything by hand.
291 */
292 SSLEngineImpl(SSLContextImpl ctx, boolean isDTLS) {
293 super();
294 this.isDTLS = isDTLS;
295 init(ctx, isDTLS);
296 }
297
298 /**
299 * Constructor for an SSLEngine from SSLContext.
300 */
301 SSLEngineImpl(SSLContextImpl ctx, String host, int port, boolean isDTLS) {
302 super(host, port);
303 this.isDTLS = isDTLS;
304 init(ctx, isDTLS);
305 }
306
307 /**
308 * Initializes the Engine
309 */
310 private void init(SSLContextImpl ctx, boolean isDTLS) {
311 if (debug != null && Debug.isOn("ssl")) {
312 System.out.println("Using SSLEngineImpl.");
313 }
314
315 sslContext = ctx;
316 sess = SSLSessionImpl.nullSession;
317 handshakeSession = null;
318 protocolVersion = isDTLS ?
319 ProtocolVersion.DEFAULT_DTLS : ProtocolVersion.DEFAULT_TLS;
320
321 /*
322 * State is cs_START until we initialize the handshaker.
323 *
324 * Apps using SSLEngine are probably going to be server.
325 * Somewhat arbitrary choice.
326 */
327 roleIsServer = true;
328 connectionState = cs_START;
329
330 // default server name indication
331 serverNames =
332 Utilities.addToSNIServerNameList(serverNames, getPeerHost());
333
334 // default security parameters for secure renegotiation
335 secureRenegotiation = false;
336 clientVerifyData = new byte[0];
337 serverVerifyData = new byte[0];
338
339 enabledCipherSuites =
340 sslContext.getDefaultCipherSuiteList(roleIsServer);
341 enabledProtocols =
342 sslContext.getDefaultProtocolList(roleIsServer);
343
344 wrapLock = new Object();
345 unwrapLock = new Object();
346 writeLock = new Object();
347
348 /*
349 * Save the Access Control Context. This will be used later
350 * for a couple of things, including providing a context to
351 * run tasks in, and for determining which credentials
352 * to use for Subject based (JAAS) decisions
353 */
354 acc = AccessController.getContext();
355
356 /*
357 * All outbound application data goes through this OutputRecord,
358 * other data goes through their respective records created
359 * elsewhere. All inbound data goes through this one
360 * input record.
361 */
362 if (isDTLS) {
363 enableRetransmissions = true;
364
365 // SSLEngine needs no record local buffer
366 outputRecord = new DTLSOutputRecord();
367 inputRecord = new DTLSInputRecord();
368
369 } else {
370 outputRecord = new SSLEngineOutputRecord();
371 inputRecord = new SSLEngineInputRecord();
372 }
373
374 maximumPacketSize = outputRecord.getMaxPacketSize();
375 }
376
377 /**
378 * Initialize the handshaker object. This means:
379 *
380 * . if a handshake is already in progress (state is cs_HANDSHAKE
381 * or cs_RENEGOTIATE), do nothing and return
382 *
383 * . if the engine is already closed, throw an Exception (internal error)
384 *
385 * . otherwise (cs_START or cs_DATA), create the appropriate handshaker
386 * object and advance the connection state (to cs_HANDSHAKE or
387 * cs_RENEGOTIATE, respectively).
388 *
389 * This method is called right after a new engine is created, when
390 * starting renegotiation, or when changing client/server mode of the
391 * engine.
392 */
393 private void initHandshaker() {
394 switch (connectionState) {
395
396 //
397 // Starting a new handshake.
398 //
399 case cs_START:
400 case cs_DATA:
401 break;
402
403 //
404 // We're already in the middle of a handshake.
405 //
406 case cs_HANDSHAKE:
407 case cs_RENEGOTIATE:
408 return;
409
410 //
411 // Anyone allowed to call this routine is required to
412 // do so ONLY if the connection state is reasonable...
413 //
414 default:
415 throw new IllegalStateException("Internal error");
416 }
417
418 // state is either cs_START or cs_DATA
419 if (connectionState == cs_START) {
420 connectionState = cs_HANDSHAKE;
421 } else { // cs_DATA
422 connectionState = cs_RENEGOTIATE;
423 }
424
425 if (roleIsServer) {
426 handshaker = new ServerHandshaker(this, sslContext,
427 enabledProtocols, doClientAuth,
428 protocolVersion, connectionState == cs_HANDSHAKE,
429 secureRenegotiation, clientVerifyData, serverVerifyData,
430 isDTLS);
431 handshaker.setSNIMatchers(sniMatchers);
432 handshaker.setUseCipherSuitesOrder(preferLocalCipherSuites);
433 } else {
434 handshaker = new ClientHandshaker(this, sslContext,
435 enabledProtocols,
436 protocolVersion, connectionState == cs_HANDSHAKE,
437 secureRenegotiation, clientVerifyData, serverVerifyData,
438 isDTLS);
439 handshaker.setSNIServerNames(serverNames);
440 }
441 handshaker.setMaximumPacketSize(maximumPacketSize);
442 handshaker.setEnabledCipherSuites(enabledCipherSuites);
443 handshaker.setEnableSessionCreation(enableSessionCreation);
444 handshaker.setApplicationProtocols(applicationProtocols);
445
446 outputRecord.initHandshaker();
447 }
448
449 /*
450 * Report the current status of the Handshaker
451 */
452 private HandshakeStatus getHSStatus(HandshakeStatus hss) {
453
454 if (hss != null) {
455 return hss;
456 }
457
458 synchronized (this) {
459 if (!outputRecord.isEmpty()) {
460 // If no handshaking, special case to wrap alters.
461 return HandshakeStatus.NEED_WRAP;
462 } else if (handshaker != null) {
463 if (handshaker.taskOutstanding()) {
464 return HandshakeStatus.NEED_TASK;
465 } else if (isDTLS && !inputRecord.isEmpty()) {
466 return HandshakeStatus.NEED_UNWRAP_AGAIN;
467 } else {
468 return HandshakeStatus.NEED_UNWRAP;
469 }
470 } else if (connectionState == cs_CLOSED) {
471 /*
472 * Special case where we're closing, but
473 * still need the close_notify before we
474 * can officially be closed.
475 *
476 * Note isOutboundDone is taken care of by
477 * hasOutboundData() above.
478 */
479 if (!isInboundDone()) {
480 return HandshakeStatus.NEED_UNWRAP;
481 } // else not handshaking
482 }
483
484 return HandshakeStatus.NOT_HANDSHAKING;
485 }
486 }
487
488 private synchronized void checkTaskThrown() throws SSLException {
489 if (handshaker != null) {
490 handshaker.checkThrown();
491 }
492 }
493
494 //
495 // Handshaking and connection state code
496 //
497
498 /*
499 * Provides "this" synchronization for connection state.
500 * Otherwise, you can access it directly.
501 */
502 private synchronized int getConnectionState() {
503 return connectionState;
504 }
505
506 private synchronized void setConnectionState(int state) {
507 connectionState = state;
508 }
509
510 /*
511 * Get the Access Control Context.
512 *
513 * Used for a known context to
514 * run tasks in, and for determining which credentials
515 * to use for Subject-based (JAAS) decisions.
516 */
517 AccessControlContext getAcc() {
518 return acc;
519 }
520
521 /*
522 * Is a handshake currently underway?
523 */
524 @Override
525 public SSLEngineResult.HandshakeStatus getHandshakeStatus() {
526 return getHSStatus(null);
527 }
528
529 /*
530 * used by Handshaker to change the active write cipher, follows
531 * the output of the CCS message.
532 *
533 * Also synchronized on "this" from readRecord/delegatedTask.
534 */
535 void changeWriteCiphers() throws IOException {
536
537 Authenticator writeAuthenticator;
538 CipherBox writeCipher;
539 try {
540 writeCipher = handshaker.newWriteCipher();
541 writeAuthenticator = handshaker.newWriteAuthenticator();
542 } catch (GeneralSecurityException e) {
543 // "can't happen"
544 throw new SSLException("Algorithm missing: ", e);
545 }
546
547 outputRecord.changeWriteCiphers(writeAuthenticator, writeCipher);
548 }
549
550 /*
551 * Updates the SSL version associated with this connection.
552 * Called from Handshaker once it has determined the negotiated version.
553 */
554 synchronized void setVersion(ProtocolVersion protocolVersion) {
555 this.protocolVersion = protocolVersion;
556 outputRecord.setVersion(protocolVersion);
557 }
558
559
560 /**
561 * Kickstart the handshake if it is not already in progress.
562 * This means:
563 *
564 * . if handshaking is already underway, do nothing and return
565 *
566 * . if the engine is not connected or already closed, throw an
567 * Exception.
568 *
569 * . otherwise, call initHandshake() to initialize the handshaker
570 * object and progress the state. Then, send the initial
571 * handshaking message if appropriate (always on clients and
572 * on servers when renegotiating).
573 */
574 private synchronized void kickstartHandshake() throws IOException {
575 switch (connectionState) {
576
577 case cs_START:
578 if (!serverModeSet) {
579 throw new IllegalStateException(
580 "Client/Server mode not yet set.");
581 }
582 initHandshaker();
583 break;
584
585 case cs_HANDSHAKE:
586 // handshaker already setup, proceed
587 break;
588
589 case cs_DATA:
590 if (!secureRenegotiation && !Handshaker.allowUnsafeRenegotiation) {
591 throw new SSLHandshakeException(
592 "Insecure renegotiation is not allowed");
593 }
594
595 if (!secureRenegotiation) {
596 if (debug != null && Debug.isOn("handshake")) {
597 System.out.println(
598 "Warning: Using insecure renegotiation");
599 }
600 }
601
602 // initialize the handshaker, move to cs_RENEGOTIATE
603 initHandshaker();
604 break;
605
606 case cs_RENEGOTIATE:
607 // handshaking already in progress, return
608 return;
609
610 default:
611 // cs_ERROR/cs_CLOSED
612 throw new SSLException("SSLEngine is closing/closed");
613 }
614
615 //
616 // Kickstart handshake state machine if we need to ...
617 //
618 if (!handshaker.activated()) {
619 // prior to handshaking, activate the handshake
620 if (connectionState == cs_RENEGOTIATE) {
621 // don't use SSLv2Hello when renegotiating
622 handshaker.activate(protocolVersion);
623 } else {
624 handshaker.activate(null);
625 }
626
627 if (handshaker instanceof ClientHandshaker) {
628 // send client hello
629 handshaker.kickstart();
630 } else { // instanceof ServerHandshaker
631 if (connectionState == cs_HANDSHAKE) {
632 // initial handshake, no kickstart message to send
633 } else {
634 // we want to renegotiate, send hello request
635 handshaker.kickstart();
636 }
637 }
638 }
639 }
640
641 /*
642 * Start a SSLEngine handshake
643 */
644 @Override
645 public void beginHandshake() throws SSLException {
646 try {
647 kickstartHandshake();
648 } catch (Exception e) {
649 fatal(Alerts.alert_handshake_failure,
650 "Couldn't kickstart handshaking", e);
651 }
652 }
653
654
655 //
656 // Read/unwrap side
657 //
658
659
660 /**
661 * Unwraps a buffer. Does a variety of checks before grabbing
662 * the unwrapLock, which blocks multiple unwraps from occurring.
663 */
664 @Override
665 public SSLEngineResult unwrap(ByteBuffer netData, ByteBuffer[] appData,
666 int offset, int length) throws SSLException {
667
668 // check engine parameters
669 checkEngineParas(netData, appData, offset, length, false);
670
671 try {
672 synchronized (unwrapLock) {
673 return readNetRecord(netData, appData, offset, length);
674 }
675 } catch (SSLProtocolException spe) {
676 // may be an unexpected handshake message
677 fatal(Alerts.alert_unexpected_message, spe.getMessage(), spe);
678 return null; // make compiler happy
679 } catch (Exception e) {
680 /*
681 * Don't reset position so it looks like we didn't
682 * consume anything. We did consume something, and it
683 * got us into this situation, so report that much back.
684 * Our days of consuming are now over anyway.
685 */
686 fatal(Alerts.alert_internal_error,
687 "problem unwrapping net record", e);
688 return null; // make compiler happy
689 }
690 }
691
692 private static void checkEngineParas(ByteBuffer netData,
693 ByteBuffer[] appData, int offset, int len, boolean isForWrap) {
694
695 if ((netData == null) || (appData == null)) {
696 throw new IllegalArgumentException("src/dst is null");
697 }
698
699 if ((offset < 0) || (len < 0) || (offset > appData.length - len)) {
700 throw new IndexOutOfBoundsException();
701 }
702
703 /*
704 * If wrapping, make sure the destination bufffer is writable.
705 */
706 if (isForWrap && netData.isReadOnly()) {
707 throw new ReadOnlyBufferException();
708 }
709
710 for (int i = offset; i < offset + len; i++) {
711 if (appData[i] == null) {
712 throw new IllegalArgumentException(
713 "appData[" + i + "] == null");
714 }
715
716 /*
717 * If unwrapping, make sure the destination bufffers are writable.
718 */
719 if (!isForWrap && appData[i].isReadOnly()) {
720 throw new ReadOnlyBufferException();
721 }
722 }
723 }
724
725 /*
726 * Makes additional checks for unwrap, but this time more
727 * specific to this packet and the current state of the machine.
728 */
729 private SSLEngineResult readNetRecord(ByteBuffer netData,
730 ByteBuffer[] appData, int offset, int length) throws IOException {
731
732 Status status = null;
733 HandshakeStatus hsStatus = null;
734
735 /*
736 * See if the handshaker needs to report back some SSLException.
737 */
738 checkTaskThrown();
739
740 /*
741 * Check if we are closing/closed.
742 */
743 if (isInboundDone()) {
744 return new SSLEngineResult(Status.CLOSED, getHSStatus(null), 0, 0);
745 }
746
747 /*
748 * If we're still in cs_HANDSHAKE, make sure it's been
749 * started.
750 */
751 synchronized (this) {
752 if ((connectionState == cs_HANDSHAKE) ||
753 (connectionState == cs_START)) {
754 kickstartHandshake();
755
756 /*
757 * If there's still outbound data to flush, we
758 * can return without trying to unwrap anything.
759 */
760 hsStatus = getHSStatus(null);
761
762 if (hsStatus == HandshakeStatus.NEED_WRAP) {
763 return new SSLEngineResult(Status.OK, hsStatus, 0, 0);
764 }
765 }
766 }
767
768 /*
769 * Grab a copy of this if it doesn't already exist,
770 * and we can use it several places before anything major
771 * happens on this side. Races aren't critical
772 * here.
773 */
774 if (hsStatus == null) {
775 hsStatus = getHSStatus(null);
776 }
777
778 /*
779 * If we have a task outstanding, this *MUST* be done before
780 * doing any more unwrapping, because we could be in the middle
781 * of receiving a handshake message, for example, a finished
782 * message which would change the ciphers.
783 */
784 if (hsStatus == HandshakeStatus.NEED_TASK) {
785 return new SSLEngineResult(Status.OK, hsStatus, 0, 0);
786 }
787
788 if (hsStatus == SSLEngineResult.HandshakeStatus.NEED_UNWRAP_AGAIN) {
789 Plaintext plainText = null;
790 try {
791 plainText = readRecord(null, null, 0, 0);
792 } catch (SSLException e) {
793 throw e;
794 } catch (IOException e) {
795 throw new SSLException("readRecord", e);
796 }
797
798 status = (isInboundDone() ? Status.CLOSED : Status.OK);
799 hsStatus = getHSStatus(plainText.handshakeStatus);
800
801 return new SSLEngineResult(
802 status, hsStatus, 0, 0, plainText.recordSN);
803 }
804
805 /*
806 * Check the packet to make sure enough is here.
807 * This will also indirectly check for 0 len packets.
808 */
809 int packetLen = 0;
810 try {
811 packetLen = inputRecord.bytesInCompletePacket(netData);
812 } catch (SSLException ssle) {
813 // Need to discard invalid records for DTLS protocols.
814 if (isDTLS) {
815 if (debug != null && Debug.isOn("ssl")) {
816 System.out.println(
817 Thread.currentThread().getName() +
818 " discard invalid record: " + ssle);
819 }
820
821 // invalid, discard the entire data [section 4.1.2.7, RFC 6347]
822 int deltaNet = netData.remaining();
823 netData.position(netData.limit());
824
825 status = (isInboundDone() ? Status.CLOSED : Status.OK);
826 hsStatus = getHSStatus(hsStatus);
827
828 return new SSLEngineResult(status, hsStatus, deltaNet, 0, -1L);
829 } else {
830 throw ssle;
831 }
832 }
833
834 // Is this packet bigger than SSL/TLS normally allows?
835 if (packetLen > sess.getPacketBufferSize()) {
836 int largestRecordSize = isDTLS ?
837 DTLSRecord.maxRecordSize : SSLRecord.maxLargeRecordSize;
838 if ((packetLen <= largestRecordSize) && !isDTLS) {
839 // Expand the expected maximum packet/application buffer
840 // sizes.
841 //
842 // Only apply to SSL/TLS protocols.
843
844 // Old behavior: shall we honor the System Property
845 // "jsse.SSLEngine.acceptLargeFragments" if it is "false"?
846 sess.expandBufferSizes();
847 }
848
849 // check the packet again
850 largestRecordSize = sess.getPacketBufferSize();
851 if (packetLen > largestRecordSize) {
852 throw new SSLProtocolException(
853 "Input record too big: max = " +
854 largestRecordSize + " len = " + packetLen);
855 }
856 }
857
858 int netPos = netData.position();
859 int appRemains = 0;
860 for (int i = offset; i < offset + length; i++) {
861 if (appData[i] == null) {
862 throw new IllegalArgumentException(
863 "appData[" + i + "] == null");
864 }
865 appRemains += appData[i].remaining();
866 }
867
868 /*
869 * Check for OVERFLOW.
870 *
871 * Delay enforcing the application buffer free space requirement
872 * until after the initial handshaking.
873 */
874 // synchronize connectionState?
875 if ((connectionState == cs_DATA) ||
876 (connectionState == cs_RENEGOTIATE)) {
877
878 int FragLen = inputRecord.estimateFragmentSize(packetLen);
879 if (FragLen > appRemains) {
880 return new SSLEngineResult(
881 Status.BUFFER_OVERFLOW, hsStatus, 0, 0);
882 }
883 }
884
885 // check for UNDERFLOW.
886 if ((packetLen == -1) || (netData.remaining() < packetLen)) {
887 return new SSLEngineResult(Status.BUFFER_UNDERFLOW, hsStatus, 0, 0);
888 }
889
890 /*
891 * We're now ready to actually do the read.
892 */
893 Plaintext plainText = null;
894 try {
895 plainText = readRecord(netData, appData, offset, length);
896 } catch (SSLException e) {
897 throw e;
898 } catch (IOException e) {
899 throw new SSLException("readRecord", e);
900 }
901
902 /*
903 * Check the various condition that we could be reporting.
904 *
905 * It's *possible* something might have happened between the
906 * above and now, but it was better to minimally lock "this"
907 * during the read process. We'll return the current
908 * status, which is more representative of the current state.
909 *
910 * status above should cover: FINISHED, NEED_TASK
911 */
912 status = (isInboundDone() ? Status.CLOSED : Status.OK);
913 hsStatus = getHSStatus(plainText.handshakeStatus);
914
915 int deltaNet = netData.position() - netPos;
916 int deltaApp = appRemains;
917 for (int i = offset; i < offset + length; i++) {
918 deltaApp -= appData[i].remaining();
919 }
920
921 return new SSLEngineResult(
922 status, hsStatus, deltaNet, deltaApp, plainText.recordSN);
923 }
924
925 // the caller have synchronized readLock
926 void expectingFinishFlight() {
927 inputRecord.expectingFinishFlight();
928 }
929
930 /*
931 * Actually do the read record processing.
932 *
933 * Returns a Status if it can make specific determinations
934 * of the engine state. In particular, we need to signal
935 * that a handshake just completed.
936 *
937 * It would be nice to be symmetrical with the write side and move
938 * the majority of this to SSLInputRecord, but there's too much
939 * SSLEngine state to do that cleanly. It must still live here.
940 */
941 private Plaintext readRecord(ByteBuffer netData,
942 ByteBuffer[] appData, int offset, int length) throws IOException {
943
944 /*
945 * The various operations will return new sliced BB's,
946 * this will avoid having to worry about positions and
947 * limits in the netBB.
948 */
949 Plaintext plainText = null;
950
951 if (getConnectionState() == cs_ERROR) {
952 return Plaintext.PLAINTEXT_NULL;
953 }
954
955 /*
956 * Read a record ... maybe emitting an alert if we get a
957 * comprehensible but unsupported "hello" message during
958 * format checking (e.g. V2).
959 */
960 try {
961 if (isDTLS) {
962 // Don't process the incoming record until all of the
963 // buffered records get handled.
964 plainText = inputRecord.acquirePlaintext();
965 }
966
967 if ((!isDTLS || plainText == null) && netData != null) {
968 plainText = inputRecord.decode(netData);
969 }
970 } catch (UnsupportedOperationException unsoe) { // SSLv2Hello
971 // Hack code to deliver SSLv2 error message for SSL/TLS connections.
972 if (!isDTLS) {
973 outputRecord.encodeV2NoCipher();
974 }
975
976 fatal(Alerts.alert_unexpected_message, unsoe);
977 } catch (BadPaddingException e) {
978 /*
979 * The basic SSLv3 record protection involves (optional)
980 * encryption for privacy, and an integrity check ensuring
981 * data origin authentication. We do them both here, and
982 * throw a fatal alert if the integrity check fails.
983 */
984 byte alertType = (connectionState != cs_DATA) ?
985 Alerts.alert_handshake_failure :
986 Alerts.alert_bad_record_mac;
987 fatal(alertType, e.getMessage(), e);
988 } catch (SSLHandshakeException she) {
989 // may be record sequence number overflow
990 fatal(Alerts.alert_handshake_failure, she);
991 } catch (IOException ioe) {
992 fatal(Alerts.alert_unexpected_message, ioe);
993 }
994
995 // plainText should never be null for TLS protocols
996 HandshakeStatus hsStatus = null;
997 if (plainText == Plaintext.PLAINTEXT_NULL) {
998 // Only happens for DTLS protocols.
999 //
1000 // Received a retransmitted flight, and need to retransmit the
1001 // previous delivered handshake flight messages.
1002 if (enableRetransmissions) {
1003 if (debug != null && Debug.isOn("verbose")) {
1004 Debug.log(
1005 "Retransmit the previous handshake flight messages.");
1006 }
1007
1008 synchronized (this) {
1009 outputRecord.launchRetransmission();
1010 }
1011 } // Otherwise, discard the retransmitted flight.
1012 } else if (!isDTLS || plainText != null) {
1013 hsStatus = processInputRecord(plainText, appData, offset, length);
1014 }
1015
1016 if (hsStatus == null) {
1017 hsStatus = getHSStatus(null);
1018 }
1019
1020 if (plainText == null) {
1021 plainText = Plaintext.PLAINTEXT_NULL;
1022 }
1023 plainText.handshakeStatus = hsStatus;
1024
1025 return plainText;
1026 }
1027
1028 /*
1029 * Process the record.
1030 */
1031 private synchronized HandshakeStatus processInputRecord(
1032 Plaintext plainText,
1033 ByteBuffer[] appData, int offset, int length) throws IOException {
1034
1035 HandshakeStatus hsStatus = null;
1036 switch (plainText.contentType) {
1037 case Record.ct_handshake:
1038 /*
1039 * Handshake messages always go to a pending session
1040 * handshaker ... if there isn't one, create one. This
1041 * must work asynchronously, for renegotiation.
1042 *
1043 * NOTE that handshaking will either resume a session
1044 * which was in the cache (and which might have other
1045 * connections in it already), or else will start a new
1046 * session (new keys exchanged) with just this connection
1047 * in it.
1048 */
1049 initHandshaker();
1050 if (!handshaker.activated()) {
1051 // prior to handshaking, activate the handshake
1052 if (connectionState == cs_RENEGOTIATE) {
1053 // don't use SSLv2Hello when renegotiating
1054 handshaker.activate(protocolVersion);
1055 } else {
1056 handshaker.activate(null);
1057 }
1058 }
1059
1060 /*
1061 * process the handshake record ... may contain just
1062 * a partial handshake message or multiple messages.
1063 *
1064 * The handshaker state machine will ensure that it's
1065 * a finished message.
1066 */
1067 handshaker.processRecord(plainText.fragment, expectingFinished);
1068 expectingFinished = false;
1069
1070 if (handshaker.invalidated) {
1071 finishHandshake();
1072
1073 // if state is cs_RENEGOTIATE, revert it to cs_DATA
1074 if (connectionState == cs_RENEGOTIATE) {
1075 connectionState = cs_DATA;
1076 }
1077 } else if (handshaker.isDone()) {
1078 // reset the parameters for secure renegotiation.
1079 secureRenegotiation =
1080 handshaker.isSecureRenegotiation();
1081 clientVerifyData = handshaker.getClientVerifyData();
1082 serverVerifyData = handshaker.getServerVerifyData();
1083 // set connection ALPN value
1084 applicationProtocol =
1085 handshaker.getHandshakeApplicationProtocol();
1086
1087 sess = handshaker.getSession();
1088 handshakeSession = null;
1089 if (outputRecord.isEmpty()) {
1090 hsStatus = finishHandshake();
1091 connectionState = cs_DATA;
1092 }
1093
1094 // No handshakeListeners here. That's a
1095 // SSLSocket thing.
1096 } else if (handshaker.taskOutstanding()) {
1097 hsStatus = HandshakeStatus.NEED_TASK;
1098 }
1099 break;
1100
1101 case Record.ct_application_data:
1102 // Pass this right back up to the application.
1103 if ((connectionState != cs_DATA)
1104 && (connectionState != cs_RENEGOTIATE)
1105 && (connectionState != cs_CLOSED)) {
1106 throw new SSLProtocolException(
1107 "Data received in non-data state: " +
1108 connectionState);
1109 }
1110
1111 if (expectingFinished) {
1112 throw new SSLProtocolException
1113 ("Expecting finished message, received data");
1114 }
1115
1116 if (!inboundDone) {
1117 ByteBuffer fragment = plainText.fragment;
1118 int remains = fragment.remaining();
1119
1120 // Should have enough room in appData.
1121 for (int i = offset;
1122 ((i < (offset + length)) && (remains > 0)); i++) {
1123 int amount = Math.min(appData[i].remaining(), remains);
1124 fragment.limit(fragment.position() + amount);
1125 appData[i].put(fragment);
1126 remains -= amount;
1127 }
1128 }
1129
1130 break;
1131
1132 case Record.ct_alert:
1133 recvAlert(plainText.fragment);
1134 break;
1135
1136 case Record.ct_change_cipher_spec:
1137 if ((connectionState != cs_HANDSHAKE
1138 && connectionState != cs_RENEGOTIATE)) {
1139 // For the CCS message arriving in the wrong state
1140 fatal(Alerts.alert_unexpected_message,
1141 "illegal change cipher spec msg, conn state = "
1142 + connectionState);
1143 } else if (plainText.fragment.remaining() != 1
1144 || plainText.fragment.get() != 1) {
1145 // For structural/content issues with the CCS
1146 fatal(Alerts.alert_unexpected_message,
1147 "Malformed change cipher spec msg");
1148 }
1149
1150 //
1151 // The first message after a change_cipher_spec
1152 // record MUST be a "Finished" handshake record,
1153 // else it's a protocol violation. We force this
1154 // to be checked by a minor tweak to the state
1155 // machine.
1156 //
1157 handshaker.receiveChangeCipherSpec();
1158
1159 CipherBox readCipher;
1160 Authenticator readAuthenticator;
1161 try {
1162 readCipher = handshaker.newReadCipher();
1163 readAuthenticator = handshaker.newReadAuthenticator();
1164 } catch (GeneralSecurityException e) {
1165 // can't happen
1166 throw new SSLException("Algorithm missing: ", e);
1167 }
1168 inputRecord.changeReadCiphers(readAuthenticator, readCipher);
1169
1170 // next message MUST be a finished message
1171 expectingFinished = true;
1172 break;
1173
1174 default:
1175 //
1176 // TLS requires that unrecognized records be ignored.
1177 //
1178 if (debug != null && Debug.isOn("ssl")) {
1179 System.out.println(Thread.currentThread().getName() +
1180 ", Received record type: " + plainText.contentType);
1181 }
1182 break;
1183 } // switch
1184
1185 /*
1186 * We only need to check the sequence number state for
1187 * non-handshaking record.
1188 *
1189 * Note that in order to maintain the handshake status
1190 * properly, we check the sequence number after the last
1191 * record reading process. As we request renegotiation
1192 * or close the connection for wrapped sequence number
1193 * when there is enough sequence number space left to
1194 * handle a few more records, so the sequence number
1195 * of the last record cannot be wrapped.
1196 */
1197 hsStatus = getHSStatus(hsStatus);
1198 if (connectionState < cs_ERROR && !isInboundDone() &&
1199 (hsStatus == HandshakeStatus.NOT_HANDSHAKING) &&
1200 (inputRecord.seqNumIsHuge())) {
1201 /*
1202 * Ask for renegotiation when need to renew sequence number.
1203 *
1204 * Don't bother to kickstart the renegotiation when the local is
1205 * asking for it.
1206 */
1207 if (debug != null && Debug.isOn("ssl")) {
1208 System.out.println(Thread.currentThread().getName() +
1209 ", request renegotiation " +
1210 "to avoid sequence number overflow");
1211 }
1212
1213 beginHandshake();
1214
1215 hsStatus = getHSStatus(null);
1216 }
1217
1218 return hsStatus;
1219 }
1220
1221
1222 //
1223 // write/wrap side
1224 //
1225
1226
1227 /**
1228 * Wraps a buffer. Does a variety of checks before grabbing
1229 * the wrapLock, which blocks multiple wraps from occurring.
1230 */
1231 @Override
1232 public SSLEngineResult wrap(ByteBuffer[] appData,
1233 int offset, int length, ByteBuffer netData) throws SSLException {
1234
1235 // check engine parameters
1236 checkEngineParas(netData, appData, offset, length, true);
1237
1238 /*
1239 * We can be smarter about using smaller buffer sizes later.
1240 * For now, force it to be large enough to handle any valid record.
1241 */
1242 if (netData.remaining() < sess.getPacketBufferSize()) {
1243 return new SSLEngineResult(
1244 Status.BUFFER_OVERFLOW, getHSStatus(null), 0, 0);
1245 }
1246
1247 try {
1248 synchronized (wrapLock) {
1249 return writeAppRecord(appData, offset, length, netData);
1250 }
1251 } catch (SSLProtocolException spe) {
1252 // may be an unexpected handshake message
1253 fatal(Alerts.alert_unexpected_message, spe.getMessage(), spe);
1254 return null; // make compiler happy
1255 } catch (Exception e) {
1256 fatal(Alerts.alert_internal_error,
1257 "problem wrapping app data", e);
1258 return null; // make compiler happy
1259 }
1260 }
1261
1262 /*
1263 * Makes additional checks for unwrap, but this time more
1264 * specific to this packet and the current state of the machine.
1265 */
1266 private SSLEngineResult writeAppRecord(ByteBuffer[] appData,
1267 int offset, int length, ByteBuffer netData) throws IOException {
1268
1269 Status status = null;
1270 HandshakeStatus hsStatus = null;
1271
1272 /*
1273 * See if the handshaker needs to report back some SSLException.
1274 */
1275 checkTaskThrown();
1276
1277 /*
1278 * short circuit if we're closed/closing.
1279 */
1280 if (isOutboundDone()) {
1281 return new SSLEngineResult(Status.CLOSED, getHSStatus(null), 0, 0);
1282 }
1283
1284 /*
1285 * If we're still in cs_HANDSHAKE, make sure it's been
1286 * started.
1287 */
1288 synchronized (this) {
1289 if ((connectionState == cs_HANDSHAKE) ||
1290 (connectionState == cs_START)) {
1291
1292 kickstartHandshake();
1293
1294 /*
1295 * If there's no HS data available to write, we can return
1296 * without trying to wrap anything.
1297 */
1298 hsStatus = getHSStatus(null);
1299 if (hsStatus == HandshakeStatus.NEED_UNWRAP) {
1300 /*
1301 * For DTLS, if the handshake state is
1302 * HandshakeStatus.NEED_UNWRAP, a call to SSLEngine.wrap()
1303 * means that the previous handshake packets (if delivered)
1304 * get lost, and need retransmit the handshake messages.
1305 */
1306 if (!isDTLS || !enableRetransmissions ||
1307 (handshaker == null) || outputRecord.firstMessage) {
1308
1309 return new SSLEngineResult(Status.OK, hsStatus, 0, 0);
1310 } // otherwise, need retransmission
1311 }
1312 }
1313 }
1314
1315 /*
1316 * Grab a copy of this if it doesn't already exist,
1317 * and we can use it several places before anything major
1318 * happens on this side. Races aren't critical
1319 * here.
1320 */
1321 if (hsStatus == null) {
1322 hsStatus = getHSStatus(null);
1323 }
1324
1325 /*
1326 * If we have a task outstanding, this *MUST* be done before
1327 * doing any more wrapping, because we could be in the middle
1328 * of receiving a handshake message, for example, a finished
1329 * message which would change the ciphers.
1330 */
1331 if (hsStatus == HandshakeStatus.NEED_TASK) {
1332 return new SSLEngineResult(Status.OK, hsStatus, 0, 0);
1333 }
1334
1335 /*
1336 * This will obtain any waiting outbound data, or will
1337 * process the outbound appData.
1338 */
1339 int netPos = netData.position();
1340 int appRemains = 0;
1341 for (int i = offset; i < offset + length; i++) {
1342 if (appData[i] == null) {
1343 throw new IllegalArgumentException(
1344 "appData[" + i + "] == null");
1345 }
1346 appRemains += appData[i].remaining();
1347 }
1348
1349 Ciphertext ciphertext = null;
1350 try {
1351 if (appRemains != 0) {
1352 synchronized (writeLock) {
1353 ciphertext = writeRecord(appData, offset, length, netData);
1354 }
1355 } else {
1356 synchronized (writeLock) {
1357 ciphertext = writeRecord(null, 0, 0, netData);
1358 }
1359 }
1360 } catch (SSLException e) {
1361 throw e;
1362 } catch (IOException e) {
1363 throw new SSLException("Write problems", e);
1364 }
1365
1366 /*
1367 * writeRecord might have reported some status.
1368 * Now check for the remaining cases.
1369 *
1370 * status above should cover: NEED_WRAP/FINISHED
1371 */
1372 status = (isOutboundDone() ? Status.CLOSED : Status.OK);
1373 hsStatus = getHSStatus(ciphertext.handshakeStatus);
1374
1375 int deltaNet = netData.position() - netPos;
1376 int deltaApp = appRemains;
1377 for (int i = offset; i < offset + length; i++) {
1378 deltaApp -= appData[i].remaining();
1379 }
1380
1381 return new SSLEngineResult(
1382 status, hsStatus, deltaApp, deltaNet, ciphertext.recordSN);
1383 }
1384
1385 /*
1386 * Central point to write/get all of the outgoing data.
1387 */
1388 private Ciphertext writeRecord(ByteBuffer[] appData,
1389 int offset, int length, ByteBuffer netData) throws IOException {
1390
1391 Ciphertext ciphertext = null;
1392 try {
1393 // Acquire the buffered to-be-delivered records or retransmissions.
1394 //
1395 // May have buffered records, or need retransmission if handshaking.
1396 if (!outputRecord.isEmpty() ||
1397 (enableRetransmissions && handshaker != null)) {
1398 ciphertext = outputRecord.acquireCiphertext(netData);
1399 }
1400
1401 if ((ciphertext == null) && (appData != null)) {
1402 ciphertext = outputRecord.encode(
1403 appData, offset, length, netData);
1404 }
1405 } catch (SSLHandshakeException she) {
1406 // may be record sequence number overflow
1407 fatal(Alerts.alert_handshake_failure, she);
1408
1409 return Ciphertext.CIPHERTEXT_NULL; // make the complier happy
1410 } catch (IOException e) {
1411 fatal(Alerts.alert_unexpected_message, e);
1412
1413 return Ciphertext.CIPHERTEXT_NULL; // make the complier happy
1414 }
1415
1416 if (ciphertext == null) {
1417 return Ciphertext.CIPHERTEXT_NULL;
1418 }
1419
1420 HandshakeStatus hsStatus = null;
1421 Ciphertext.RecordType recordType = ciphertext.recordType;
1422 if ((recordType.contentType == Record.ct_handshake) &&
1423 (recordType.handshakeType == HandshakeMessage.ht_finished) &&
1424 outputRecord.isEmpty()) {
1425
1426 if (handshaker == null) {
1427 hsStatus = HandshakeStatus.FINISHED;
1428 } else if (handshaker.isDone()) {
1429 hsStatus = finishHandshake();
1430 connectionState = cs_DATA;
1431
1432 // Retransmit the last flight twice.
1433 //
1434 // The application data transactions may begin immediately
1435 // after the last flight. If the last flight get lost, the
1436 // application data may be discarded accordingly. As could
1437 // be an issue for some applications. This impact can be
1438 // mitigated by sending the last fligth twice.
1439 if (isDTLS && enableRetransmissions) {
1440 if (debug != null && Debug.isOn("verbose")) {
1441 Debug.log(
1442 "Retransmit the last flight messages.");
1443 }
1444
1445 synchronized (this) {
1446 outputRecord.launchRetransmission();
1447 }
1448
1449 hsStatus = HandshakeStatus.NEED_WRAP;
1450 }
1451 }
1452 } // Otherwise, the followed call to getHSStatus() will help.
1453
1454 /*
1455 * We only need to check the sequence number state for
1456 * non-handshaking record.
1457 *
1458 * Note that in order to maintain the handshake status
1459 * properly, we check the sequence number after the last
1460 * record writing process. As we request renegotiation
1461 * or close the connection for wrapped sequence number
1462 * when there is enough sequence number space left to
1463 * handle a few more records, so the sequence number
1464 * of the last record cannot be wrapped.
1465 */
1466 hsStatus = getHSStatus(hsStatus);
1467 if (connectionState < cs_ERROR && !isOutboundDone() &&
1468 (hsStatus == HandshakeStatus.NOT_HANDSHAKING) &&
1469 (outputRecord.seqNumIsHuge())) {
1470 /*
1471 * Ask for renegotiation when need to renew sequence number.
1472 *
1473 * Don't bother to kickstart the renegotiation when the local is
1474 * asking for it.
1475 */
1476 if (debug != null && Debug.isOn("ssl")) {
1477 System.out.println(Thread.currentThread().getName() +
1478 ", request renegotiation " +
1479 "to avoid sequence number overflow");
1480 }
1481
1482 beginHandshake();
1483
1484 hsStatus = getHSStatus(null);
1485 }
1486 ciphertext.handshakeStatus = hsStatus;
1487
1488 return ciphertext;
1489 }
1490
1491 private HandshakeStatus finishHandshake() {
1492 handshaker = null;
1493 inputRecord.setHandshakeHash(null);
1494 outputRecord.setHandshakeHash(null);
1495 connectionState = cs_DATA;
1496
1497 return HandshakeStatus.FINISHED;
1498 }
1499
1500 //
1501 // Close code
1502 //
1503
1504 /**
1505 * Signals that no more outbound application data will be sent
1506 * on this <code>SSLEngine</code>.
1507 */
1508 private void closeOutboundInternal() {
1509
1510 if ((debug != null) && Debug.isOn("ssl")) {
1511 System.out.println(Thread.currentThread().getName() +
1512 ", closeOutboundInternal()");
1513 }
1514
1515 /*
1516 * Already closed, ignore
1517 */
1518 if (outboundDone) {
1519 return;
1520 }
1521
1522 switch (connectionState) {
1523
1524 /*
1525 * If we haven't even started yet, don't bother reading inbound.
1526 */
1527 case cs_START:
1528 try {
1529 outputRecord.close();
1530 } catch (IOException ioe) {
1531 // ignore
1532 }
1533 outboundDone = true;
1534
1535 try {
1536 inputRecord.close();
1537 } catch (IOException ioe) {
1538 // ignore
1539 }
1540 inboundDone = true;
1541 break;
1542
1543 case cs_ERROR:
1544 case cs_CLOSED:
1545 break;
1546
1547 /*
1548 * Otherwise we indicate clean termination.
1549 */
1550 // case cs_HANDSHAKE:
1551 // case cs_DATA:
1552 // case cs_RENEGOTIATE:
1553 default:
1554 warning(Alerts.alert_close_notify);
1555 try {
1556 outputRecord.close();
1557 } catch (IOException ioe) {
1558 // ignore
1559 }
1560 outboundDone = true;
1561 break;
1562 }
1563
1564 connectionState = cs_CLOSED;
1565 }
1566
1567 @Override
1568 public synchronized void closeOutbound() {
1569 /*
1570 * Dump out a close_notify to the remote side
1571 */
1572 if ((debug != null) && Debug.isOn("ssl")) {
1573 System.out.println(Thread.currentThread().getName() +
1574 ", called closeOutbound()");
1575 }
1576
1577 closeOutboundInternal();
1578 }
1579
1580 /**
1581 * Returns the outbound application data closure state
1582 */
1583 @Override
1584 public boolean isOutboundDone() {
1585 return outboundDone && outputRecord.isEmpty();
1586 }
1587
1588 /**
1589 * Signals that no more inbound network data will be sent
1590 * to this <code>SSLEngine</code>.
1591 */
1592 private void closeInboundInternal() {
1593
1594 if ((debug != null) && Debug.isOn("ssl")) {
1595 System.out.println(Thread.currentThread().getName() +
1596 ", closeInboundInternal()");
1597 }
1598
1599 /*
1600 * Already closed, ignore
1601 */
1602 if (inboundDone) {
1603 return;
1604 }
1605
1606 closeOutboundInternal();
1607
1608 try {
1609 inputRecord.close();
1610 } catch (IOException ioe) {
1611 // ignore
1612 }
1613 inboundDone = true;
1614
1615 connectionState = cs_CLOSED;
1616 }
1617
1618 /*
1619 * Close the inbound side of the connection. We grab the
1620 * lock here, and do the real work in the internal verison.
1621 * We do check for truncation attacks.
1622 */
1623 @Override
1624 public synchronized void closeInbound() throws SSLException {
1625 /*
1626 * Currently closes the outbound side as well. The IETF TLS
1627 * working group has expressed the opinion that 1/2 open
1628 * connections are not allowed by the spec. May change
1629 * someday in the future.
1630 */
1631 if ((debug != null) && Debug.isOn("ssl")) {
1632 System.out.println(Thread.currentThread().getName() +
1633 ", called closeInbound()");
1634 }
1635
1636 /*
1637 * No need to throw an Exception if we haven't even started yet.
1638 */
1639 if ((connectionState != cs_START) && !recvCN) {
1640 recvCN = true; // Only receive the Exception once
1641 fatal(Alerts.alert_internal_error,
1642 "Inbound closed before receiving peer's close_notify: " +
1643 "possible truncation attack?");
1644 } else {
1645 /*
1646 * Currently, this is a no-op, but in case we change
1647 * the close inbound code later.
1648 */
1649 closeInboundInternal();
1650 }
1651 }
1652
1653 /**
1654 * Returns the network inbound data closure state
1655 */
1656 @Override
1657 public synchronized boolean isInboundDone() {
1658 return inboundDone;
1659 }
1660
1661
1662 //
1663 // Misc stuff
1664 //
1665
1666
1667 /**
1668 * Returns the current <code>SSLSession</code> for this
1669 * <code>SSLEngine</code>
1670 * <P>
1671 * These can be long lived, and frequently correspond to an
1672 * entire login session for some user.
1673 */
1674 @Override
1675 public synchronized SSLSession getSession() {
1676 return sess;
1677 }
1678
1679 @Override
1680 public synchronized SSLSession getHandshakeSession() {
1681 return handshakeSession;
1682 }
1683
1684 synchronized void setHandshakeSession(SSLSessionImpl session) {
1685 // update the fragment size, which may be negotiated during handshaking
1686 inputRecord.changeFragmentSize(session.getNegotiatedMaxFragSize());
1687 outputRecord.changeFragmentSize(session.getNegotiatedMaxFragSize());
1688
1689 handshakeSession = session;
1690 }
1691
1692 /**
1693 * Returns a delegated <code>Runnable</code> task for
1694 * this <code>SSLEngine</code>.
1695 */
1696 @Override
1697 public synchronized Runnable getDelegatedTask() {
1698 if (handshaker != null) {
1699 return handshaker.getTask();
1700 }
1701 return null;
1702 }
1703
1704
1705 //
1706 // EXCEPTION AND ALERT HANDLING
1707 //
1708
1709 /*
1710 * Send a warning alert.
1711 */
1712 void warning(byte description) {
1713 sendAlert(Alerts.alert_warning, description);
1714 }
1715
1716 synchronized void fatal(byte description, String diagnostic)
1717 throws SSLException {
1718 fatal(description, diagnostic, null);
1719 }
1720
1721 synchronized void fatal(byte description, Throwable cause)
1722 throws SSLException {
1723 fatal(description, null, cause);
1724 }
1725
1726 /*
1727 * We've got a fatal error here, so start the shutdown process.
1728 *
1729 * Because of the way the code was written, we have some code
1730 * calling fatal directly when the "description" is known
1731 * and some throwing Exceptions which are then caught by higher
1732 * levels which then call here. This code needs to determine
1733 * if one of the lower levels has already started the process.
1734 *
1735 * We won't worry about Error's, if we have one of those,
1736 * we're in worse trouble. Note: the networking code doesn't
1737 * deal with Errors either.
1738 */
1739 synchronized void fatal(byte description, String diagnostic,
1740 Throwable cause) throws SSLException {
1741
1742 /*
1743 * If we have no further information, make a general-purpose
1744 * message for folks to see. We generally have one or the other.
1745 */
1746 if (diagnostic == null) {
1747 diagnostic = "General SSLEngine problem";
1748 }
1749 if (cause == null) {
1750 cause = Alerts.getSSLException(description, cause, diagnostic);
1751 }
1752
1753 /*
1754 * If we've already shutdown because of an error,
1755 * there is nothing we can do except rethrow the exception.
1756 *
1757 * Most exceptions seen here will be SSLExceptions.
1758 * We may find the occasional Exception which hasn't been
1759 * converted to a SSLException, so we'll do it here.
1760 */
1761 if (closeReason != null) {
1762 if ((debug != null) && Debug.isOn("ssl")) {
1763 System.out.println(Thread.currentThread().getName() +
1764 ", fatal: engine already closed. Rethrowing " +
1765 cause.toString());
1766 }
1767 if (cause instanceof RuntimeException) {
1768 throw (RuntimeException)cause;
1769 } else if (cause instanceof SSLException) {
1770 throw (SSLException)cause;
1771 } else if (cause instanceof Exception) {
1772 throw new SSLException("fatal SSLEngine condition", cause);
1773 }
1774 }
1775
1776 if ((debug != null) && Debug.isOn("ssl")) {
1777 System.out.println(Thread.currentThread().getName()
1778 + ", fatal error: " + description +
1779 ": " + diagnostic + "\n" + cause.toString());
1780 }
1781
1782 /*
1783 * Ok, this engine's going down.
1784 */
1785 int oldState = connectionState;
1786 connectionState = cs_ERROR;
1787
1788 try {
1789 inputRecord.close();
1790 } catch (IOException ioe) {
1791 // ignore
1792 }
1793 inboundDone = true;
1794
1795 sess.invalidate();
1796 if (handshakeSession != null) {
1797 handshakeSession.invalidate();
1798 }
1799
1800 /*
1801 * If we haven't even started handshaking yet, no need
1802 * to generate the fatal close alert.
1803 */
1804 if (oldState != cs_START) {
1805 sendAlert(Alerts.alert_fatal, description);
1806 }
1807
1808 if (cause instanceof SSLException) { // only true if != null
1809 closeReason = (SSLException)cause;
1810 } else {
1811 /*
1812 * Including RuntimeExceptions, but we'll throw those
1813 * down below. The closeReason isn't used again,
1814 * except for null checks.
1815 */
1816 closeReason =
1817 Alerts.getSSLException(description, cause, diagnostic);
1818 }
1819
1820 try {
1821 outputRecord.close();
1822 } catch (IOException ioe) {
1823 // ignore
1824 }
1825 outboundDone = true;
1826
1827 connectionState = cs_CLOSED;
1828
1829 if (cause instanceof RuntimeException) {
1830 throw (RuntimeException)cause;
1831 } else {
1832 throw closeReason;
1833 }
1834 }
1835
1836 /*
1837 * Process an incoming alert ... caller must already have synchronized
1838 * access to "this".
1839 */
1840 private void recvAlert(ByteBuffer fragment) throws IOException {
1841 byte level = fragment.get();
1842 byte description = fragment.get();
1843
1844 if (description == -1) { // check for short message
1845 fatal(Alerts.alert_illegal_parameter, "Short alert message");
1846 }
1847
1848 if (debug != null && (Debug.isOn("record") ||
1849 Debug.isOn("handshake"))) {
1850 synchronized (System.out) {
1851 System.out.print(Thread.currentThread().getName());
1852 System.out.print(", RECV " + protocolVersion + " ALERT: ");
1853 if (level == Alerts.alert_fatal) {
1854 System.out.print("fatal, ");
1855 } else if (level == Alerts.alert_warning) {
1856 System.out.print("warning, ");
1857 } else {
1858 System.out.print("<level " + (0x0ff & level) + ">, ");
1859 }
1860 System.out.println(Alerts.alertDescription(description));
1861 }
1862 }
1863
1864 if (level == Alerts.alert_warning) {
1865 if (description == Alerts.alert_close_notify) {
1866 if (connectionState == cs_HANDSHAKE) {
1867 fatal(Alerts.alert_unexpected_message,
1868 "Received close_notify during handshake");
1869 } else {
1870 recvCN = true;
1871 closeInboundInternal(); // reply to close
1872 }
1873 } else {
1874
1875 //
1876 // The other legal warnings relate to certificates,
1877 // e.g. no_certificate, bad_certificate, etc; these
1878 // are important to the handshaking code, which can
1879 // also handle illegal protocol alerts if needed.
1880 //
1881 if (handshaker != null) {
1882 handshaker.handshakeAlert(description);
1883 }
1884 }
1885 } else { // fatal or unknown level
1886 String reason = "Received fatal alert: "
1887 + Alerts.alertDescription(description);
1888 if (closeReason == null) {
1889 closeReason = Alerts.getSSLException(description, reason);
1890 }
1891 fatal(Alerts.alert_unexpected_message, reason);
1892 }
1893 }
1894
1895
1896 /*
1897 * Emit alerts. Caller must have synchronized with "this".
1898 */
1899 private void sendAlert(byte level, byte description) {
1900 // the connectionState cannot be cs_START
1901 if (connectionState >= cs_CLOSED) {
1902 return;
1903 }
1904
1905 // For initial handshaking, don't send alert message to peer if
1906 // handshaker has not started.
1907 //
1908 // Shall we send an fatal alter to terminate the connection gracefully?
1909 if (connectionState <= cs_HANDSHAKE &&
1910 (handshaker == null || !handshaker.started() ||
1911 !handshaker.activated())) {
1912 return;
1913 }
1914
1915 try {
1916 outputRecord.encodeAlert(level, description);
1917 } catch (IOException ioe) {
1918 // ignore
1919 }
1920 }
1921
1922
1923 //
1924 // VARIOUS OTHER METHODS (COMMON TO SSLSocket)
1925 //
1926
1927
1928 /**
1929 * Controls whether new connections may cause creation of new SSL
1930 * sessions.
1931 *
1932 * As long as handshaking has not started, we can change
1933 * whether we enable session creations. Otherwise,
1934 * we will need to wait for the next handshake.
1935 */
1936 @Override
1937 public synchronized void setEnableSessionCreation(boolean flag) {
1938 enableSessionCreation = flag;
1939
1940 if ((handshaker != null) && !handshaker.activated()) {
1941 handshaker.setEnableSessionCreation(enableSessionCreation);
1942 }
1943 }
1944
1945 /**
1946 * Returns true if new connections may cause creation of new SSL
1947 * sessions.
1948 */
1949 @Override
1950 public synchronized boolean getEnableSessionCreation() {
1951 return enableSessionCreation;
1952 }
1953
1954
1955 /**
1956 * Sets the flag controlling whether a server mode engine
1957 * *REQUIRES* SSL client authentication.
1958 *
1959 * As long as handshaking has not started, we can change
1960 * whether client authentication is needed. Otherwise,
1961 * we will need to wait for the next handshake.
1962 */
1963 @Override
1964 public synchronized void setNeedClientAuth(boolean flag) {
1965 doClientAuth = (flag ?
1966 ClientAuthType.CLIENT_AUTH_REQUIRED :
1967 ClientAuthType.CLIENT_AUTH_NONE);
1968
1969 if ((handshaker != null) &&
1970 (handshaker instanceof ServerHandshaker) &&
1971 !handshaker.activated()) {
1972 ((ServerHandshaker) handshaker).setClientAuth(doClientAuth);
1973 }
1974 }
1975
1976 @Override
1977 public synchronized boolean getNeedClientAuth() {
1978 return (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED);
1979 }
1980
1981 /**
1982 * Sets the flag controlling whether a server mode engine
1983 * *REQUESTS* SSL client authentication.
1984 *
1985 * As long as handshaking has not started, we can change
1986 * whether client authentication is requested. Otherwise,
1987 * we will need to wait for the next handshake.
1988 */
1989 @Override
1990 public synchronized void setWantClientAuth(boolean flag) {
1991 doClientAuth = (flag ?
1992 ClientAuthType.CLIENT_AUTH_REQUESTED :
1993 ClientAuthType.CLIENT_AUTH_NONE);
1994
1995 if ((handshaker != null) &&
1996 (handshaker instanceof ServerHandshaker) &&
1997 !handshaker.activated()) {
1998 ((ServerHandshaker) handshaker).setClientAuth(doClientAuth);
1999 }
2000 }
2001
2002 @Override
2003 public synchronized boolean getWantClientAuth() {
2004 return (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUESTED);
2005 }
2006
2007
2008 /**
2009 * Sets the flag controlling whether the engine is in SSL
2010 * client or server mode. Must be called before any SSL
2011 * traffic has started.
2012 */
2013 @Override
2014 @SuppressWarnings("fallthrough")
2015 public synchronized void setUseClientMode(boolean flag) {
2016 switch (connectionState) {
2017
2018 case cs_START:
2019 /*
2020 * If we need to change the socket mode and the enabled
2021 * protocols and cipher suites haven't specifically been
2022 * set by the user, change them to the corresponding
2023 * default ones.
2024 */
2025 if (roleIsServer != (!flag)) {
2026 if (sslContext.isDefaultProtocolList(enabledProtocols)) {
2027 enabledProtocols =
2028 sslContext.getDefaultProtocolList(!flag);
2029 }
2030
2031 if (sslContext.isDefaultCipherSuiteList(enabledCipherSuites)) {
2032 enabledCipherSuites =
2033 sslContext.getDefaultCipherSuiteList(!flag);
2034 }
2035 }
2036
2037 roleIsServer = !flag;
2038 serverModeSet = true;
2039 break;
2040
2041 case cs_HANDSHAKE:
2042 /*
2043 * If we have a handshaker, but haven't started
2044 * SSL traffic, we can throw away our current
2045 * handshaker, and start from scratch. Don't
2046 * need to call doneConnect() again, we already
2047 * have the streams.
2048 */
2049 assert(handshaker != null);
2050 if (!handshaker.activated()) {
2051 /*
2052 * If we need to change the socket mode and the enabled
2053 * protocols and cipher suites haven't specifically been
2054 * set by the user, change them to the corresponding
2055 * default ones.
2056 */
2057 if (roleIsServer != (!flag)) {
2058 if (sslContext.isDefaultProtocolList(enabledProtocols)) {
2059 enabledProtocols =
2060 sslContext.getDefaultProtocolList(!flag);
2061 }
2062
2063 if (sslContext.isDefaultCipherSuiteList(
2064 enabledCipherSuites)) {
2065 enabledCipherSuites =
2066 sslContext.getDefaultCipherSuiteList(!flag);
2067 }
2068 }
2069
2070 roleIsServer = !flag;
2071 connectionState = cs_START;
2072 initHandshaker();
2073 break;
2074 }
2075
2076 // If handshake has started, that's an error. Fall through...
2077
2078 default:
2079 if (debug != null && Debug.isOn("ssl")) {
2080 System.out.println(Thread.currentThread().getName() +
2081 ", setUseClientMode() invoked in state = " +
2082 connectionState);
2083 }
2084
2085 /*
2086 * We can let them continue if they catch this correctly,
2087 * we don't need to shut this down.
2088 */
2089 throw new IllegalArgumentException(
2090 "Cannot change mode after SSL traffic has started");
2091 }
2092 }
2093
2094 @Override
2095 public synchronized boolean getUseClientMode() {
2096 return !roleIsServer;
2097 }
2098
2099
2100 /**
2101 * Returns the names of the cipher suites which could be enabled for use
2102 * on an SSL connection. Normally, only a subset of these will actually
2103 * be enabled by default, since this list may include cipher suites which
2104 * do not support the mutual authentication of servers and clients, or
2105 * which do not protect data confidentiality. Servers may also need
2106 * certain kinds of certificates to use certain cipher suites.
2107 *
2108 * @return an array of cipher suite names
2109 */
2110 @Override
2111 public String[] getSupportedCipherSuites() {
2112 return sslContext.getSupportedCipherSuiteList().toStringArray();
2113 }
2114
2115 /**
2116 * Controls which particular cipher suites are enabled for use on
2117 * this connection. The cipher suites must have been listed by
2118 * getCipherSuites() as being supported. Even if a suite has been
2119 * enabled, it might never be used if no peer supports it or the
2120 * requisite certificates (and private keys) are not available.
2121 *
2122 * @param suites Names of all the cipher suites to enable.
2123 */
2124 @Override
2125 public synchronized void setEnabledCipherSuites(String[] suites) {
2126 enabledCipherSuites = new CipherSuiteList(suites);
2127 if ((handshaker != null) && !handshaker.activated()) {
2128 handshaker.setEnabledCipherSuites(enabledCipherSuites);
2129 }
2130 }
2131
2132 /**
2133 * Returns the names of the SSL cipher suites which are currently enabled
2134 * for use on this connection. When an SSL engine is first created,
2135 * all enabled cipher suites <em>(a)</em> protect data confidentiality,
2136 * by traffic encryption, and <em>(b)</em> can mutually authenticate
2137 * both clients and servers. Thus, in some environments, this value
2138 * might be empty.
2139 *
2140 * @return an array of cipher suite names
2141 */
2142 @Override
2143 public synchronized String[] getEnabledCipherSuites() {
2144 return enabledCipherSuites.toStringArray();
2145 }
2146
2147
2148 /**
2149 * Returns the protocols that are supported by this implementation.
2150 * A subset of the supported protocols may be enabled for this connection
2151 * @return an array of protocol names.
2152 */
2153 @Override
2154 public String[] getSupportedProtocols() {
2155 return sslContext.getSuportedProtocolList().toStringArray();
2156 }
2157
2158 /**
2159 * Controls which protocols are enabled for use on
2160 * this connection. The protocols must have been listed by
2161 * getSupportedProtocols() as being supported.
2162 *
2163 * @param protocols protocols to enable.
2164 * @exception IllegalArgumentException when one of the protocols
2165 * named by the parameter is not supported.
2166 */
2167 @Override
2168 public synchronized void setEnabledProtocols(String[] protocols) {
2169 enabledProtocols = new ProtocolList(protocols);
2170 if ((handshaker != null) && !handshaker.activated()) {
2171 handshaker.setEnabledProtocols(enabledProtocols);
2172 }
2173 }
2174
2175 @Override
2176 public synchronized String[] getEnabledProtocols() {
2177 return enabledProtocols.toStringArray();
2178 }
2179
2180 /**
2181 * Returns the SSLParameters in effect for this SSLEngine.
2182 */
2183 @Override
2184 public synchronized SSLParameters getSSLParameters() {
2185 SSLParameters params = super.getSSLParameters();
2186
2187 // the super implementation does not handle the following parameters
2188 params.setEndpointIdentificationAlgorithm(identificationProtocol);
2189 params.setAlgorithmConstraints(algorithmConstraints);
2190 params.setSNIMatchers(sniMatchers);
2191 params.setServerNames(serverNames);
2192 params.setUseCipherSuitesOrder(preferLocalCipherSuites);
2193 params.setEnableRetransmissions(enableRetransmissions);
2194 params.setMaximumPacketSize(maximumPacketSize);
2195 params.setApplicationProtocols(applicationProtocols);
2196
2197 return params;
2198 }
2199
2200 /**
2201 * Applies SSLParameters to this engine.
2202 */
2203 @Override
2204 public synchronized void setSSLParameters(SSLParameters params) {
2205 super.setSSLParameters(params);
2206
2207 // the super implementation does not handle the following parameters
2208 identificationProtocol = params.getEndpointIdentificationAlgorithm();
2209 algorithmConstraints = params.getAlgorithmConstraints();
2210 preferLocalCipherSuites = params.getUseCipherSuitesOrder();
2211 enableRetransmissions = params.getEnableRetransmissions();
2212 maximumPacketSize = params.getMaximumPacketSize();
2213
2214 if (maximumPacketSize != 0) {
2215 outputRecord.changePacketSize(maximumPacketSize);
2216 } else {
2217 // use the implicit maximum packet size.
2218 maximumPacketSize = outputRecord.getMaxPacketSize();
2219 }
2220
2221 List<SNIServerName> sniNames = params.getServerNames();
2222 if (sniNames != null) {
2223 serverNames = sniNames;
2224 }
2225
2226 Collection<SNIMatcher> matchers = params.getSNIMatchers();
2227 if (matchers != null) {
2228 sniMatchers = matchers;
2229 }
2230 applicationProtocols = params.getApplicationProtocols();
2231
2232 if ((handshaker != null) && !handshaker.started()) {
2233 handshaker.setIdentificationProtocol(identificationProtocol);
2234 handshaker.setAlgorithmConstraints(algorithmConstraints);
2235 handshaker.setMaximumPacketSize(maximumPacketSize);
2236 handshaker.setApplicationProtocols(applicationProtocols);
2237 if (roleIsServer) {
2238 handshaker.setSNIMatchers(sniMatchers);
2239 handshaker.setUseCipherSuitesOrder(preferLocalCipherSuites);
2240 } else {
2241 handshaker.setSNIServerNames(serverNames);
2242 }
2243 }
2244 }
2245
2246 @Override
2247 public synchronized String getApplicationProtocol() {
2248 return applicationProtocol;
2249 }
2250
2251 @Override
2252 public synchronized String getHandshakeApplicationProtocol() {
2253 if ((handshaker != null) && handshaker.started()) {
2254 return handshaker.getHandshakeApplicationProtocol();
2255 }
2256 return null;
2257 }
2258
2259 /**
2260 * Returns a printable representation of this end of the connection.
2261 */
2262 @Override
2263 public String toString() {
2264 StringBuilder retval = new StringBuilder(80);
2265
2266 retval.append(Integer.toHexString(hashCode()));
2267 retval.append("[");
2268 retval.append("SSLEngine[hostname=");
2269 String host = getPeerHost();
2270 retval.append((host == null) ? "null" : host);
2271 retval.append(" port=");
2272 retval.append(Integer.toString(getPeerPort()));
2273 retval.append(" role=" + (roleIsServer ? "Server" : "Client"));
2274 retval.append("] ");
2275 retval.append(getSession().getCipherSuite());
2276 retval.append("]");
2277
2278 return retval.toString();
2279 }
2280 }