author | xuelei |
Tue, 12 Jun 2018 22:15:10 -0700 | |
branch | JDK-8145252-TLS13-branch |
changeset 56750 | 2b4ae319412b |
parent 56739 | ae0cd8b2e2c2 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
56542 | 2 |
* Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.security.ssl; |
|
27 |
||
56712 | 28 |
import java.io.EOFException; |
56542 | 29 |
import java.io.IOException; |
30 |
import java.io.InputStream; |
|
31 |
import java.io.InterruptedIOException; |
|
32 |
import java.io.OutputStream; |
|
33 |
import java.net.InetAddress; |
|
34 |
import java.net.InetSocketAddress; |
|
35 |
import java.net.Socket; |
|
36 |
import java.net.SocketAddress; |
|
37 |
import java.net.SocketException; |
|
38 |
import java.net.UnknownHostException; |
|
39 |
import java.nio.ByteBuffer; |
|
40 |
import java.util.List; |
|
42706
796cf076d69b
8170282: Enable ALPN parameters to be supplied during the TLS handshake
vinnie
parents:
38865
diff
changeset
|
41 |
import java.util.function.BiFunction; |
56542 | 42 |
import javax.net.ssl.HandshakeCompletedListener; |
43 |
import javax.net.ssl.SSLException; |
|
44 |
import javax.net.ssl.SSLHandshakeException; |
|
45 |
import javax.net.ssl.SSLParameters; |
|
46 |
import javax.net.ssl.SSLProtocolException; |
|
47 |
import javax.net.ssl.SSLServerSocket; |
|
48 |
import javax.net.ssl.SSLSession; |
|
49 |
import javax.net.ssl.SSLSocket; |
|
32834
e1dca5fe4de3
8137056: Move SharedSecrets and interface friends out of sun.misc
chegar
parents:
32649
diff
changeset
|
50 |
import jdk.internal.misc.JavaNetInetAddressAccess; |
e1dca5fe4de3
8137056: Move SharedSecrets and interface friends out of sun.misc
chegar
parents:
32649
diff
changeset
|
51 |
import jdk.internal.misc.SharedSecrets; |
31687 | 52 |
|
2 | 53 |
/** |
56542 | 54 |
* Implementation of an SSL socket. |
55 |
* <P> |
|
56 |
* This is a normal connection type socket, implementing SSL over some lower |
|
57 |
* level socket, such as TCP. Because it is layered over some lower level |
|
58 |
* socket, it MUST override all default socket methods. |
|
59 |
* <P> |
|
60 |
* This API offers a non-traditional option for establishing SSL |
|
2 | 61 |
* connections. You may first establish the connection directly, then pass |
62 |
* that connection to the SSL socket constructor with a flag saying which |
|
63 |
* role should be taken in the handshake protocol. (The two ends of the |
|
64 |
* connection must not choose the same role!) This allows setup of SSL |
|
65 |
* proxying or tunneling, and also allows the kind of "role reversal" |
|
66 |
* that is required for most FTP data transfers. |
|
67 |
* |
|
68 |
* @see javax.net.ssl.SSLSocket |
|
69 |
* @see SSLServerSocket |
|
70 |
* |
|
71 |
* @author David Brownell |
|
72 |
*/ |
|
56542 | 73 |
public final class SSLSocketImpl |
74 |
extends BaseSSLSocketImpl implements SSLTransport { |
|
2 | 75 |
|
56542 | 76 |
final SSLContextImpl sslContext; |
77 |
final TransportContext conContext; |
|
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
32834
diff
changeset
|
78 |
|
56542 | 79 |
private final AppInputStream appInput = new AppInputStream(); |
80 |
private final AppOutputStream appOutput = new AppOutputStream(); |
|
2 | 81 |
|
56542 | 82 |
private String peerHost; |
83 |
private boolean autoClose; |
|
84 |
private boolean isConnected = false; |
|
85 |
private boolean tlsIsClosed = false; |
|
30904 | 86 |
|
31687 | 87 |
/* |
88 |
* Is the local name service trustworthy? |
|
89 |
* |
|
90 |
* If the local name service is not trustworthy, reverse host name |
|
91 |
* resolution should not be performed for endpoint identification. |
|
92 |
*/ |
|
56718 | 93 |
private static final boolean trustNameService = |
56542 | 94 |
Utilities.getBooleanProperty("jdk.tls.trustNameService", false); |
31687 | 95 |
|
56542 | 96 |
/** |
97 |
* Package-private constructor used to instantiate an unconnected |
|
98 |
* socket. |
|
99 |
* |
|
100 |
* This instance is meant to set handshake state to use "client mode". |
|
101 |
*/ |
|
102 |
SSLSocketImpl(SSLContextImpl sslContext) { |
|
103 |
super(); |
|
104 |
this.sslContext = sslContext; |
|
105 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
106 |
this.conContext = new TransportContext(sslContext, this, |
|
107 |
new SSLSocketInputRecord(handshakeHash), |
|
108 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
109 |
} |
|
2 | 110 |
|
111 |
/** |
|
56542 | 112 |
* Package-private constructor used to instantiate a server socket. |
2 | 113 |
* |
56542 | 114 |
* This instance is meant to set handshake state to use "server mode". |
2 | 115 |
*/ |
56542 | 116 |
SSLSocketImpl(SSLContextImpl sslContext, SSLConfiguration sslConfig) { |
2 | 117 |
super(); |
56542 | 118 |
this.sslContext = sslContext; |
119 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
120 |
this.conContext = new TransportContext(sslContext, this, sslConfig, |
|
121 |
new SSLSocketInputRecord(handshakeHash), |
|
122 |
new SSLSocketOutputRecord(handshakeHash)); |
|
2 | 123 |
} |
124 |
||
125 |
/** |
|
56542 | 126 |
* Constructs an SSL connection to a named host at a specified |
127 |
* port, using the authentication context provided. |
|
2 | 128 |
* |
56542 | 129 |
* This endpoint acts as the client, and may rejoin an existing SSL session |
130 |
* if appropriate. |
|
2 | 131 |
*/ |
56542 | 132 |
SSLSocketImpl(SSLContextImpl sslContext, String peerHost, |
133 |
int peerPort) throws IOException, UnknownHostException { |
|
2 | 134 |
super(); |
56542 | 135 |
this.sslContext = sslContext; |
136 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
137 |
this.conContext = new TransportContext(sslContext, this, |
|
138 |
new SSLSocketInputRecord(handshakeHash), |
|
139 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
140 |
this.peerHost = peerHost; |
|
141 |
SocketAddress socketAddress = |
|
142 |
peerHost != null ? new InetSocketAddress(peerHost, peerPort) : |
|
143 |
new InetSocketAddress(InetAddress.getByName(null), peerPort); |
|
2 | 144 |
connect(socketAddress, 0); |
145 |
} |
|
146 |
||
147 |
/** |
|
56542 | 148 |
* Constructs an SSL connection to a server at a specified |
149 |
* address, and TCP port, using the authentication context |
|
150 |
* provided. |
|
2 | 151 |
* |
56542 | 152 |
* This endpoint acts as the client, and may rejoin an existing SSL |
153 |
* session if appropriate. |
|
2 | 154 |
*/ |
56542 | 155 |
SSLSocketImpl(SSLContextImpl sslContext, |
156 |
InetAddress address, int peerPort) throws IOException { |
|
2 | 157 |
super(); |
56542 | 158 |
this.sslContext = sslContext; |
159 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
160 |
this.conContext = new TransportContext(sslContext, this, |
|
161 |
new SSLSocketInputRecord(handshakeHash), |
|
162 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
2 | 163 |
|
56542 | 164 |
SocketAddress socketAddress = new InetSocketAddress(address, peerPort); |
2 | 165 |
connect(socketAddress, 0); |
166 |
} |
|
167 |
||
56542 | 168 |
/** |
169 |
* Constructs an SSL connection to a named host at a specified |
|
170 |
* port, using the authentication context provided. |
|
171 |
* |
|
172 |
* This endpoint acts as the client, and may rejoin an existing SSL |
|
173 |
* session if appropriate. |
|
2 | 174 |
*/ |
56542 | 175 |
SSLSocketImpl(SSLContextImpl sslContext, |
176 |
String peerHost, int peerPort, InetAddress localAddr, |
|
177 |
int localPort) throws IOException, UnknownHostException { |
|
2 | 178 |
super(); |
56542 | 179 |
this.sslContext = sslContext; |
180 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
181 |
this.conContext = new TransportContext(sslContext, this, |
|
182 |
new SSLSocketInputRecord(handshakeHash), |
|
183 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
184 |
this.peerHost = peerHost; |
|
2 | 185 |
|
56542 | 186 |
bind(new InetSocketAddress(localAddr, localPort)); |
187 |
SocketAddress socketAddress = |
|
188 |
peerHost != null ? new InetSocketAddress(peerHost, peerPort) : |
|
189 |
new InetSocketAddress(InetAddress.getByName(null), peerPort); |
|
190 |
connect(socketAddress, 0); |
|
2 | 191 |
} |
192 |
||
193 |
/** |
|
56542 | 194 |
* Constructs an SSL connection to a server at a specified |
195 |
* address, and TCP port, using the authentication context |
|
196 |
* provided. |
|
2 | 197 |
* |
56542 | 198 |
* This endpoint acts as the client, and may rejoin an existing SSL |
199 |
* session if appropriate. |
|
2 | 200 |
*/ |
56542 | 201 |
SSLSocketImpl(SSLContextImpl sslContext, |
202 |
InetAddress peerAddr, int peerPort, |
|
203 |
InetAddress localAddr, int localPort) throws IOException { |
|
204 |
super(); |
|
205 |
this.sslContext = sslContext; |
|
206 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
207 |
this.conContext = new TransportContext(sslContext, this, |
|
208 |
new SSLSocketInputRecord(handshakeHash), |
|
209 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
210 |
||
211 |
bind(new InetSocketAddress(localAddr, localPort)); |
|
212 |
SocketAddress socketAddress = new InetSocketAddress(peerAddr, peerPort); |
|
213 |
connect(socketAddress, 0); |
|
2 | 214 |
} |
215 |
||
216 |
/** |
|
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
217 |
* Creates a server mode {@link Socket} layered over an |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
218 |
* existing connected socket, and is able to read data which has |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
219 |
* already been consumed/removed from the {@link Socket}'s |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
220 |
* underlying {@link InputStream}. |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
221 |
*/ |
56542 | 222 |
SSLSocketImpl(SSLContextImpl sslContext, Socket sock, |
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
223 |
InputStream consumed, boolean autoClose) throws IOException { |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
224 |
super(sock, consumed); |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
225 |
// We always layer over a connected socket |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
226 |
if (!sock.isConnected()) { |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
227 |
throw new SocketException("Underlying socket is not connected"); |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
228 |
} |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
229 |
|
56542 | 230 |
this.sslContext = sslContext; |
231 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
232 |
this.conContext = new TransportContext(sslContext, this, |
|
233 |
new SSLSocketInputRecord(handshakeHash), |
|
234 |
new SSLSocketOutputRecord(handshakeHash), false); |
|
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
235 |
this.autoClose = autoClose; |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
236 |
doneConnect(); |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
237 |
} |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
238 |
|
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
239 |
/** |
56542 | 240 |
* Layer SSL traffic over an existing connection, rather than |
241 |
* creating a new connection. |
|
242 |
* |
|
243 |
* The existing connection may be used only for SSL traffic (using this |
|
244 |
* SSLSocket) until the SSLSocket.close() call returns. However, if a |
|
245 |
* protocol error is detected, that existing connection is automatically |
|
246 |
* closed. |
|
247 |
* <p> |
|
248 |
* This particular constructor always uses the socket in the |
|
249 |
* role of an SSL client. It may be useful in cases which start |
|
250 |
* using SSL after some initial data transfers, for example in some |
|
251 |
* SSL tunneling applications or as part of some kinds of application |
|
252 |
* protocols which negotiate use of a SSL based security. |
|
2 | 253 |
*/ |
56542 | 254 |
SSLSocketImpl(SSLContextImpl sslContext, Socket sock, |
255 |
String peerHost, int port, boolean autoClose) throws IOException { |
|
256 |
super(sock); |
|
257 |
// We always layer over a connected socket |
|
258 |
if (!sock.isConnected()) { |
|
259 |
throw new SocketException("Underlying socket is not connected"); |
|
260 |
} |
|
2 | 261 |
|
56542 | 262 |
this.sslContext = sslContext; |
263 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
264 |
this.conContext = new TransportContext(sslContext, this, |
|
265 |
new SSLSocketInputRecord(handshakeHash), |
|
266 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
267 |
this.peerHost = peerHost; |
|
268 |
this.autoClose = autoClose; |
|
269 |
doneConnect(); |
|
2 | 270 |
} |
271 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
272 |
@Override |
56542 | 273 |
public void connect(SocketAddress endpoint, |
274 |
int timeout) throws IOException { |
|
2 | 275 |
|
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
276 |
if (isLayered()) { |
2 | 277 |
throw new SocketException("Already connected"); |
278 |
} |
|
279 |
||
280 |
if (!(endpoint instanceof InetSocketAddress)) { |
|
281 |
throw new SocketException( |
|
56542 | 282 |
"Cannot handle non-Inet socket addresses."); |
2 | 283 |
} |
284 |
||
285 |
super.connect(endpoint, timeout); |
|
286 |
doneConnect(); |
|
287 |
} |
|
288 |
||
56542 | 289 |
@Override |
290 |
public String[] getSupportedCipherSuites() { |
|
291 |
return CipherSuite.namesOf(sslContext.getSupportedCipherSuites()); |
|
292 |
} |
|
293 |
||
294 |
@Override |
|
295 |
public synchronized String[] getEnabledCipherSuites() { |
|
296 |
return CipherSuite.namesOf(conContext.sslConfig.enabledCipherSuites); |
|
297 |
} |
|
298 |
||
299 |
@Override |
|
300 |
public synchronized void setEnabledCipherSuites(String[] suites) { |
|
301 |
conContext.sslConfig.enabledCipherSuites = |
|
302 |
CipherSuite.validValuesOf(suites); |
|
303 |
} |
|
304 |
||
305 |
@Override |
|
306 |
public String[] getSupportedProtocols() { |
|
307 |
return ProtocolVersion.toStringArray( |
|
56611 | 308 |
sslContext.getSupportedProtocolVersions()); |
56542 | 309 |
} |
310 |
||
311 |
@Override |
|
312 |
public synchronized String[] getEnabledProtocols() { |
|
313 |
return ProtocolVersion.toStringArray( |
|
314 |
conContext.sslConfig.enabledProtocols); |
|
315 |
} |
|
316 |
||
317 |
@Override |
|
318 |
public synchronized void setEnabledProtocols(String[] protocols) { |
|
319 |
if (protocols == null) { |
|
320 |
throw new IllegalArgumentException("Protocols cannot be null"); |
|
321 |
} |
|
322 |
||
323 |
conContext.sslConfig.enabledProtocols = |
|
324 |
ProtocolVersion.namesOf(protocols); |
|
325 |
} |
|
2 | 326 |
|
56542 | 327 |
@Override |
328 |
public synchronized SSLSession getSession() { |
|
329 |
try { |
|
330 |
// start handshaking, if failed, the connection will be closed. |
|
331 |
ensureNegotiated(); |
|
332 |
} catch (IOException ioe) { |
|
333 |
if (SSLLogger.isOn && SSLLogger.isOn("handshake")) { |
|
334 |
SSLLogger.severe("handshake failed", ioe); |
|
335 |
} |
|
336 |
||
337 |
return SSLSessionImpl.nullSession; |
|
338 |
} |
|
339 |
||
340 |
return conContext.conSession; |
|
341 |
} |
|
342 |
||
343 |
@Override |
|
344 |
public synchronized SSLSession getHandshakeSession() { |
|
345 |
if (conContext.handshakeContext != null) { |
|
346 |
return conContext.handshakeContext.handshakeSession; |
|
347 |
} |
|
30904 | 348 |
|
56542 | 349 |
return null; |
350 |
} |
|
351 |
||
352 |
@Override |
|
353 |
public synchronized void addHandshakeCompletedListener( |
|
354 |
HandshakeCompletedListener listener) { |
|
355 |
if (listener == null) { |
|
356 |
throw new IllegalArgumentException("listener is null"); |
|
357 |
} |
|
358 |
||
359 |
conContext.sslConfig.addHandshakeCompletedListener(listener); |
|
360 |
} |
|
361 |
||
362 |
@Override |
|
363 |
public synchronized void removeHandshakeCompletedListener( |
|
364 |
HandshakeCompletedListener listener) { |
|
365 |
if (listener == null) { |
|
366 |
throw new IllegalArgumentException("listener is null"); |
|
367 |
} |
|
368 |
||
369 |
conContext.sslConfig.removeHandshakeCompletedListener(listener); |
|
2 | 370 |
} |
371 |
||
56542 | 372 |
@Override |
373 |
public synchronized void startHandshake() throws IOException { |
|
374 |
checkWrite(); |
|
375 |
try { |
|
376 |
conContext.kickstart(); |
|
377 |
||
378 |
// All initial handshaking goes through this operation until we |
|
379 |
// have a valid SSL connection. |
|
380 |
// |
|
381 |
// Handle handshake messages only, need no application data. |
|
382 |
if (!conContext.isNegotiated) { |
|
383 |
readRecord(); |
|
384 |
} |
|
385 |
} catch (IOException ioe) { |
|
386 |
conContext.fatal(Alert.HANDSHAKE_FAILURE, |
|
387 |
"Couldn't kickstart handshaking", ioe); |
|
388 |
} catch (Exception oe) { // including RuntimeException |
|
389 |
handleException(oe); |
|
390 |
} |
|
391 |
} |
|
392 |
||
393 |
@Override |
|
394 |
public synchronized void setUseClientMode(boolean mode) { |
|
395 |
conContext.setUseClientMode(mode); |
|
396 |
} |
|
397 |
||
398 |
@Override |
|
399 |
public synchronized boolean getUseClientMode() { |
|
400 |
return conContext.sslConfig.isClientMode; |
|
401 |
} |
|
402 |
||
403 |
@Override |
|
404 |
public synchronized void setNeedClientAuth(boolean need) { |
|
405 |
conContext.sslConfig.clientAuthType = |
|
406 |
(need ? ClientAuthType.CLIENT_AUTH_REQUIRED : |
|
407 |
ClientAuthType.CLIENT_AUTH_NONE); |
|
408 |
} |
|
409 |
||
410 |
@Override |
|
411 |
public synchronized boolean getNeedClientAuth() { |
|
412 |
return (conContext.sslConfig.clientAuthType == |
|
413 |
ClientAuthType.CLIENT_AUTH_REQUIRED); |
|
414 |
} |
|
415 |
||
416 |
@Override |
|
417 |
public synchronized void setWantClientAuth(boolean want) { |
|
418 |
conContext.sslConfig.clientAuthType = |
|
419 |
(want ? ClientAuthType.CLIENT_AUTH_REQUESTED : |
|
420 |
ClientAuthType.CLIENT_AUTH_NONE); |
|
2 | 421 |
} |
422 |
||
56542 | 423 |
@Override |
424 |
public synchronized boolean getWantClientAuth() { |
|
425 |
return (conContext.sslConfig.clientAuthType == |
|
426 |
ClientAuthType.CLIENT_AUTH_REQUESTED); |
|
427 |
} |
|
428 |
||
429 |
@Override |
|
430 |
public synchronized void setEnableSessionCreation(boolean flag) { |
|
431 |
conContext.sslConfig.enableSessionCreation = flag; |
|
432 |
} |
|
433 |
||
434 |
@Override |
|
435 |
public synchronized boolean getEnableSessionCreation() { |
|
436 |
return conContext.sslConfig.enableSessionCreation; |
|
437 |
} |
|
438 |
||
439 |
@Override |
|
440 |
public synchronized boolean isClosed() { |
|
441 |
return tlsIsClosed && conContext.isClosed(); |
|
2 | 442 |
} |
443 |
||
56542 | 444 |
@Override |
445 |
public synchronized void close() throws IOException { |
|
446 |
try { |
|
447 |
conContext.close(); |
|
448 |
} catch (IOException ioe) { |
|
449 |
// ignore the exception |
|
450 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
451 |
SSLLogger.warning("connection context closure failed", ioe); |
|
452 |
} |
|
453 |
} finally { |
|
454 |
tlsIsClosed = true; |
|
455 |
} |
|
456 |
} |
|
457 |
||
458 |
@Override |
|
459 |
public synchronized InputStream getInputStream() throws IOException { |
|
460 |
if (isClosed() || conContext.isInboundDone()) { |
|
461 |
throw new SocketException("Socket or inbound is closed"); |
|
462 |
} |
|
463 |
||
464 |
if (!isConnected) { |
|
465 |
throw new SocketException("Socket is not connected"); |
|
466 |
} |
|
467 |
||
468 |
return appInput; |
|
469 |
} |
|
470 |
||
471 |
private synchronized void ensureNegotiated() throws IOException { |
|
56594 | 472 |
if (conContext.isNegotiated || |
473 |
conContext.isClosed() || conContext.isBroken) { |
|
56542 | 474 |
return; |
475 |
} |
|
476 |
||
477 |
startHandshake(); |
|
2 | 478 |
} |
479 |
||
56718 | 480 |
/** |
481 |
* InputStream for application data as returned by |
|
482 |
* SSLSocket.getInputStream(). |
|
483 |
*/ |
|
56542 | 484 |
private class AppInputStream extends InputStream { |
485 |
// One element array used to implement the single byte read() method |
|
486 |
private final byte[] oneByte = new byte[1]; |
|
487 |
||
488 |
// the temporary buffer used to read network |
|
489 |
private ByteBuffer buffer; |
|
490 |
||
491 |
// Is application data available in the stream? |
|
492 |
private boolean appDataIsAvailable; |
|
493 |
||
494 |
AppInputStream() { |
|
495 |
this.appDataIsAvailable = false; |
|
496 |
this.buffer = ByteBuffer.allocate(4096); |
|
497 |
} |
|
2 | 498 |
|
56542 | 499 |
/** |
500 |
* Return the minimum number of bytes that can be read |
|
501 |
* without blocking. |
|
2 | 502 |
*/ |
56542 | 503 |
@Override |
504 |
public int available() throws IOException { |
|
505 |
// Currently not synchronized. |
|
506 |
if ((!appDataIsAvailable) || checkEOF()) { |
|
507 |
return 0; |
|
508 |
} |
|
509 |
||
510 |
return buffer.remaining(); |
|
511 |
} |
|
512 |
||
513 |
/** |
|
514 |
* Read a single byte, returning -1 on non-fault EOF status. |
|
515 |
*/ |
|
516 |
@Override |
|
517 |
public synchronized int read() throws IOException { |
|
518 |
int n = read(oneByte, 0, 1); |
|
519 |
if (n <= 0) { // EOF |
|
520 |
return -1; |
|
521 |
} |
|
522 |
||
523 |
return oneByte[0] & 0xFF; |
|
524 |
} |
|
2 | 525 |
|
56542 | 526 |
/** |
527 |
* Reads up to {@code len} bytes of data from the input stream |
|
528 |
* into an array of bytes. |
|
529 |
* |
|
530 |
* An attempt is made to read as many as {@code len} bytes, but a |
|
531 |
* smaller number may be read. The number of bytes actually read |
|
532 |
* is returned as an integer. |
|
533 |
* |
|
534 |
* If the layer above needs more data, it asks for more, so we |
|
535 |
* are responsible only for blocking to fill at most one buffer, |
|
536 |
* and returning "-1" on non-fault EOF status. |
|
537 |
*/ |
|
538 |
@Override |
|
539 |
public synchronized int read(byte[] b, int off, int len) |
|
540 |
throws IOException { |
|
541 |
if (b == null) { |
|
542 |
throw new NullPointerException("the target buffer is null"); |
|
543 |
} else if (off < 0 || len < 0 || len > b.length - off) { |
|
544 |
throw new IndexOutOfBoundsException( |
|
545 |
"buffer length: " + b.length + ", offset; " + off + |
|
546 |
", bytes to read:" + len); |
|
547 |
} else if (len == 0) { |
|
548 |
return 0; |
|
549 |
} |
|
2 | 550 |
|
56542 | 551 |
if (checkEOF()) { |
552 |
return -1; |
|
553 |
} |
|
554 |
||
555 |
// start handshaking if the connection has not been negotiated. |
|
56594 | 556 |
if (!conContext.isNegotiated && |
557 |
!conContext.isClosed() && !conContext.isBroken) { |
|
56542 | 558 |
ensureNegotiated(); |
559 |
} |
|
2 | 560 |
|
56542 | 561 |
// Read the available bytes at first. |
562 |
int remains = available(); |
|
563 |
if (remains > 0) { |
|
564 |
int howmany = Math.min(remains, len); |
|
565 |
buffer.get(b, off, howmany); |
|
566 |
||
567 |
return howmany; |
|
568 |
} |
|
569 |
||
570 |
appDataIsAvailable = false; |
|
571 |
int volume = 0; |
|
572 |
try { |
|
56718 | 573 |
/* |
574 |
* Read data if needed ... notice that the connection |
|
575 |
* guarantees that handshake, alert, and change cipher spec |
|
576 |
* data streams are handled as they arrive, so we never |
|
577 |
* see them here. |
|
578 |
*/ |
|
56542 | 579 |
while (volume == 0) { |
580 |
// Clear the buffer for a new record reading. |
|
581 |
buffer.clear(); |
|
2 | 582 |
|
56542 | 583 |
// grow the buffer if needed |
584 |
int inLen = conContext.inputRecord.bytesInCompletePacket(); |
|
585 |
if (inLen < 0) { // EOF |
|
56712 | 586 |
handleEOF(null); |
587 |
||
56739 | 588 |
// if no exception thrown |
56542 | 589 |
return -1; |
590 |
} |
|
591 |
||
592 |
// Is this packet bigger than SSL/TLS normally allows? |
|
593 |
if (inLen > SSLRecord.maxLargeRecordSize) { |
|
594 |
throw new SSLProtocolException( |
|
595 |
"Illegal packet size: " + inLen); |
|
596 |
} |
|
597 |
||
598 |
if (inLen > buffer.remaining()) { |
|
599 |
buffer = ByteBuffer.allocate(inLen); |
|
30904 | 600 |
} |
2 | 601 |
|
56542 | 602 |
volume = readRecord(buffer); |
603 |
buffer.flip(); |
|
604 |
if (volume < 0) { // EOF |
|
605 |
// treat like receiving a close_notify warning message. |
|
606 |
conContext.isInputCloseNotified = true; |
|
607 |
conContext.closeInbound(); |
|
608 |
return -1; |
|
609 |
} else if (volume > 0) { |
|
610 |
appDataIsAvailable = true; |
|
611 |
break; |
|
612 |
} |
|
613 |
} |
|
614 |
||
615 |
// file the destination buffer |
|
616 |
int howmany = Math.min(len, volume); |
|
617 |
buffer.get(b, off, howmany); |
|
618 |
return howmany; |
|
619 |
} catch (Exception e) { // including RuntimeException |
|
620 |
// shutdown and rethrow (wrapped) exception as appropriate |
|
621 |
handleException(e); |
|
622 |
||
623 |
// dummy for compiler |
|
624 |
return -1; |
|
625 |
} |
|
626 |
} |
|
627 |
||
628 |
/** |
|
629 |
* Skip n bytes. |
|
630 |
* |
|
631 |
* This implementation is somewhat less efficient than possible, but |
|
632 |
* not badly so (redundant copy). We reuse the read() code to keep |
|
633 |
* things simpler. Note that SKIP_ARRAY is static and may garbled by |
|
634 |
* concurrent use, but we are not interested in the data anyway. |
|
635 |
*/ |
|
636 |
@Override |
|
637 |
public synchronized long skip(long n) throws IOException { |
|
638 |
// dummy array used to implement skip() |
|
639 |
byte[] skipArray = new byte[256]; |
|
640 |
||
641 |
long skipped = 0; |
|
642 |
while (n > 0) { |
|
643 |
int len = (int)Math.min(n, skipArray.length); |
|
644 |
int r = read(skipArray, 0, len); |
|
645 |
if (r <= 0) { |
|
646 |
break; |
|
647 |
} |
|
648 |
n -= r; |
|
649 |
skipped += r; |
|
650 |
} |
|
651 |
||
652 |
return skipped; |
|
653 |
} |
|
654 |
||
655 |
@Override |
|
656 |
public void close() throws IOException { |
|
657 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
658 |
SSLLogger.finest("Closing input stream"); |
|
2 | 659 |
} |
56542 | 660 |
|
661 |
conContext.closeInbound(); |
|
662 |
} |
|
663 |
} |
|
664 |
||
665 |
@Override |
|
666 |
public synchronized OutputStream getOutputStream() throws IOException { |
|
667 |
if (isClosed() || conContext.isOutboundDone()) { |
|
668 |
throw new SocketException("Socket or outbound is closed"); |
|
669 |
} |
|
670 |
||
671 |
if (!isConnected) { |
|
672 |
throw new SocketException("Socket is not connected"); |
|
673 |
} |
|
674 |
||
675 |
return appOutput; |
|
676 |
} |
|
677 |
||
56718 | 678 |
|
679 |
/** |
|
680 |
* OutputStream for application data as returned by |
|
681 |
* SSLSocket.getOutputStream(). |
|
682 |
*/ |
|
56542 | 683 |
private class AppOutputStream extends OutputStream { |
684 |
// One element array used to implement the write(byte) method |
|
685 |
private final byte[] oneByte = new byte[1]; |
|
686 |
||
687 |
@Override |
|
688 |
public void write(int i) throws IOException { |
|
689 |
oneByte[0] = (byte)i; |
|
690 |
write(oneByte, 0, 1); |
|
691 |
} |
|
692 |
||
693 |
@Override |
|
694 |
public synchronized void write(byte[] b, |
|
695 |
int off, int len) throws IOException { |
|
696 |
if (b == null) { |
|
697 |
throw new NullPointerException("the source buffer is null"); |
|
698 |
} else if (off < 0 || len < 0 || len > b.length - off) { |
|
699 |
throw new IndexOutOfBoundsException( |
|
700 |
"buffer length: " + b.length + ", offset; " + off + |
|
701 |
", bytes to read:" + len); |
|
702 |
} else if (len == 0) { |
|
703 |
return; |
|
704 |
} |
|
705 |
||
706 |
// start handshaking if the connection has not been negotiated. |
|
56594 | 707 |
if (!conContext.isNegotiated && |
708 |
!conContext.isClosed() && !conContext.isBroken) { |
|
56542 | 709 |
ensureNegotiated(); |
710 |
} |
|
711 |
||
712 |
// check if the Socket is invalid (error or closed) |
|
713 |
checkWrite(); |
|
714 |
||
715 |
// Delegate the writing to the underlying socket. |
|
716 |
try { |
|
717 |
writeRecord(b, off, len); |
|
718 |
checkWrite(); |
|
719 |
} catch (IOException ioe) { |
|
720 |
// shutdown and rethrow (wrapped) exception as appropriate |
|
721 |
handleException(ioe); |
|
722 |
} |
|
723 |
} |
|
724 |
||
725 |
@Override |
|
726 |
public void close() throws IOException { |
|
727 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
728 |
SSLLogger.finest("Closing output stream"); |
|
729 |
} |
|
730 |
||
731 |
conContext.closeOutbound(); |
|
732 |
} |
|
733 |
} |
|
734 |
||
735 |
@Override |
|
736 |
public synchronized SSLParameters getSSLParameters() { |
|
737 |
return conContext.sslConfig.getSSLParameters(); |
|
738 |
} |
|
739 |
||
740 |
@Override |
|
741 |
public synchronized void setSSLParameters(SSLParameters params) { |
|
742 |
conContext.sslConfig.setSSLParameters(params); |
|
743 |
||
744 |
if (conContext.sslConfig.maximumPacketSize != 0) { |
|
745 |
conContext.outputRecord.changePacketSize( |
|
746 |
conContext.sslConfig.maximumPacketSize); |
|
747 |
} |
|
748 |
} |
|
749 |
||
750 |
@Override |
|
751 |
public synchronized String getApplicationProtocol() { |
|
752 |
return conContext.applicationProtocol; |
|
753 |
} |
|
754 |
||
755 |
@Override |
|
756 |
public synchronized String getHandshakeApplicationProtocol() { |
|
757 |
if (conContext.handshakeContext != null) { |
|
758 |
return conContext.handshakeContext.applicationProtocol; |
|
759 |
} |
|
760 |
||
761 |
return null; |
|
762 |
} |
|
763 |
||
764 |
@Override |
|
765 |
public synchronized void setHandshakeApplicationProtocolSelector( |
|
766 |
BiFunction<SSLSocket, List<String>, String> selector) { |
|
767 |
conContext.sslConfig.socketAPSelector = selector; |
|
768 |
} |
|
769 |
||
770 |
@Override |
|
771 |
public synchronized BiFunction<SSLSocket, List<String>, String> |
|
772 |
getHandshakeApplicationProtocolSelector() { |
|
773 |
return conContext.sslConfig.socketAPSelector; |
|
774 |
} |
|
775 |
||
776 |
private synchronized void writeRecord(byte[] source, |
|
777 |
int offset, int length) throws IOException { |
|
778 |
if (conContext.isOutboundDone()) { |
|
779 |
throw new SocketException("Socket or outbound closed"); |
|
2 | 780 |
} |
781 |
||
782 |
// |
|
783 |
// Don't bother to really write empty records. We went this |
|
784 |
// far to drive the handshake machinery, for correctness; not |
|
785 |
// writing empty records improves performance by cutting CPU |
|
786 |
// time and network resource usage. However, some protocol |
|
787 |
// implementations are fragile and don't like to see empty |
|
788 |
// records, so this also increases robustness. |
|
789 |
// |
|
30904 | 790 |
if (length > 0) { |
791 |
try { |
|
56542 | 792 |
conContext.outputRecord.deliver(source, offset, length); |
30904 | 793 |
} catch (SSLHandshakeException she) { |
794 |
// may be record sequence number overflow |
|
56542 | 795 |
conContext.fatal(Alert.HANDSHAKE_FAILURE, she); |
30904 | 796 |
} catch (IOException e) { |
56542 | 797 |
conContext.fatal(Alert.UNEXPECTED_MESSAGE, e); |
34528
279258fb670b
8141651: Deadlock in sun.security.ssl.SSLSocketImpl
xuelei
parents:
34380
diff
changeset
|
798 |
} |
2 | 799 |
} |
7039 | 800 |
|
56542 | 801 |
// Is the sequence number is nearly overflow? |
802 |
if (conContext.outputRecord.seqNumIsHuge()) { |
|
803 |
tryKeyUpdate(); |
|
10915 | 804 |
} |
805 |
} |
|
2 | 806 |
|
56542 | 807 |
private synchronized int readRecord() throws IOException { |
808 |
while (!conContext.isInboundDone()) { |
|
809 |
try { |
|
810 |
Plaintext plainText = decode(null); |
|
811 |
if ((plainText.contentType == ContentType.HANDSHAKE.id) && |
|
812 |
conContext.isNegotiated) { |
|
813 |
return 0; |
|
814 |
} |
|
815 |
} catch (SSLException ssle) { |
|
816 |
throw ssle; |
|
817 |
} catch (IOException ioe) { |
|
56712 | 818 |
if (!(ioe instanceof SSLException)) { |
819 |
throw new SSLException("readRecord", ioe); |
|
820 |
} else { |
|
821 |
throw ioe; |
|
822 |
} |
|
56542 | 823 |
} |
2 | 824 |
} |
30904 | 825 |
|
56542 | 826 |
return -1; |
30904 | 827 |
} |
828 |
||
56542 | 829 |
private synchronized int readRecord(ByteBuffer buffer) throws IOException { |
830 |
while (!conContext.isInboundDone()) { |
|
831 |
/* |
|
832 |
* clean the buffer and check if it is too small, e.g. because |
|
833 |
* the AppInputStream did not have the chance to see the |
|
834 |
* current packet length but rather something like that of the |
|
835 |
* handshake before. In that case we return 0 at this point to |
|
836 |
* give the caller the chance to adjust the buffer. |
|
837 |
*/ |
|
838 |
buffer.clear(); |
|
839 |
int inLen = conContext.inputRecord.bytesInCompletePacket(); |
|
840 |
if (inLen < 0) { // EOF |
|
56712 | 841 |
handleEOF(null); |
842 |
||
56739 | 843 |
// if no exception thrown |
56542 | 844 |
return -1; |
845 |
} |
|
30904 | 846 |
|
56542 | 847 |
if (buffer.remaining() < inLen) { |
848 |
return 0; |
|
849 |
} |
|
7039 | 850 |
|
56542 | 851 |
try { |
852 |
Plaintext plainText = decode(buffer); |
|
853 |
if (plainText.contentType == ContentType.APPLICATION_DATA.id) { |
|
854 |
return buffer.position(); |
|
30904 | 855 |
} |
56542 | 856 |
} catch (SSLException ssle) { |
857 |
throw ssle; |
|
858 |
} catch (IOException ioe) { |
|
56712 | 859 |
if (!(ioe instanceof SSLException)) { |
860 |
throw new SSLException("readRecord", ioe); |
|
861 |
} else { |
|
862 |
throw ioe; |
|
863 |
} |
|
56542 | 864 |
} |
7039 | 865 |
} |
866 |
||
56542 | 867 |
// |
868 |
// couldn't read, due to some kind of error |
|
869 |
// |
|
870 |
return -1; |
|
871 |
} |
|
7039 | 872 |
|
56542 | 873 |
private Plaintext decode(ByteBuffer destination) throws IOException { |
874 |
Plaintext plainText; |
|
56712 | 875 |
try { |
876 |
if (destination == null) { |
|
877 |
plainText = SSLTransport.decode(conContext, |
|
878 |
null, 0, 0, null, 0, 0); |
|
879 |
} else { |
|
880 |
plainText = SSLTransport.decode(conContext, |
|
881 |
null, 0, 0, new ByteBuffer[]{destination}, 0, 1); |
|
882 |
} |
|
883 |
} catch (EOFException eofe) { |
|
884 |
// EOFException is special as it is related to close_notify. |
|
885 |
plainText = handleEOF(eofe); |
|
7039 | 886 |
} |
30904 | 887 |
|
56542 | 888 |
// Is the sequence number is nearly overflow? |
889 |
if (plainText != Plaintext.PLAINTEXT_NULL && |
|
890 |
conContext.inputRecord.seqNumIsHuge()) { |
|
891 |
tryKeyUpdate(); |
|
892 |
} |
|
30904 | 893 |
|
56542 | 894 |
return plainText; |
2 | 895 |
} |
896 |
||
897 |
/** |
|
56542 | 898 |
* Try renegotiation or key update for sequence number wrap. |
899 |
* |
|
900 |
* Note that in order to maintain the handshake status properly, we check |
|
901 |
* the sequence number after the last record reading/writing process. As |
|
902 |
* we request renegotiation or close the connection for wrapped sequence |
|
903 |
* number when there is enough sequence number space left to handle a few |
|
904 |
* more records, so the sequence number of the last record cannot be |
|
905 |
* wrapped. |
|
2 | 906 |
*/ |
56542 | 907 |
private void tryKeyUpdate() throws IOException { |
908 |
// Don't bother to kickstart the renegotiation or key update when the |
|
909 |
// local is asking for it. |
|
910 |
if ((conContext.handshakeContext == null) && |
|
911 |
!conContext.isClosed() && !conContext.isBroken) { |
|
912 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
913 |
SSLLogger.finest("key update to wrap sequence number"); |
|
914 |
} |
|
915 |
conContext.keyUpdate(); |
|
916 |
} |
|
2 | 917 |
} |
918 |
||
56542 | 919 |
private void closeSocket(boolean selfInitiated) throws IOException { |
920 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
921 |
SSLLogger.fine("close the ssl connection " + |
|
922 |
(selfInitiated ? "(initiative)" : "(passive)")); |
|
2 | 923 |
} |
924 |
||
56542 | 925 |
if (autoClose || !isLayered()) { |
926 |
super.close(); |
|
927 |
} else if (selfInitiated) { |
|
928 |
// wait for close_notify alert to clear input stream. |
|
929 |
waitForClose(); |
|
930 |
} |
|
931 |
} |
|
932 |
||
933 |
/** |
|
934 |
* Wait for close_notify alert for a graceful closure. |
|
935 |
* |
|
936 |
* [RFC 5246] If the application protocol using TLS provides that any |
|
937 |
* data may be carried over the underlying transport after the TLS |
|
938 |
* connection is closed, the TLS implementation must receive the responding |
|
939 |
* close_notify alert before indicating to the application layer that |
|
940 |
* the TLS connection has ended. If the application protocol will not |
|
941 |
* transfer any additional data, but will only close the underlying |
|
942 |
* transport connection, then the implementation MAY choose to close the |
|
943 |
* transport without waiting for the responding close_notify. |
|
944 |
*/ |
|
945 |
private void waitForClose() throws IOException { |
|
946 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
947 |
SSLLogger.fine("wait for close_notify or alert"); |
|
2 | 948 |
} |
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
32834
diff
changeset
|
949 |
|
56542 | 950 |
while (!conContext.isInboundDone()) { |
951 |
try { |
|
952 |
Plaintext plainText = decode(null); |
|
953 |
// discard and continue |
|
954 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
955 |
SSLLogger.finest( |
|
956 |
"discard plaintext while waiting for close", plainText); |
|
957 |
} |
|
958 |
} catch (Exception e) { // including RuntimeException |
|
959 |
handleException(e); |
|
2 | 960 |
} |
961 |
} |
|
962 |
} |
|
963 |
||
964 |
/** |
|
56542 | 965 |
* Initialize the handshaker and socket streams. |
2 | 966 |
* |
56542 | 967 |
* Called by connect, the layered constructor, and SSLServerSocket. |
2 | 968 |
*/ |
56542 | 969 |
synchronized void doneConnect() throws IOException { |
970 |
// In server mode, it is not necessary to set host and serverNames. |
|
971 |
// Otherwise, would require a reverse DNS lookup to get the hostname. |
|
972 |
if ((peerHost == null) || (peerHost.length() == 0)) { |
|
973 |
boolean useNameService = |
|
974 |
trustNameService && conContext.sslConfig.isClientMode; |
|
975 |
useImplicitHost(useNameService); |
|
976 |
} else { |
|
977 |
conContext.sslConfig.serverNames = |
|
978 |
Utilities.addToSNIServerNameList( |
|
979 |
conContext.sslConfig.serverNames, peerHost); |
|
2 | 980 |
} |
981 |
||
56542 | 982 |
InputStream sockInput = super.getInputStream(); |
983 |
conContext.inputRecord.setReceiverStream(sockInput); |
|
2 | 984 |
|
56542 | 985 |
OutputStream sockOutput = super.getOutputStream(); |
986 |
conContext.inputRecord.setDeliverStream(sockOutput); |
|
987 |
conContext.outputRecord.setDeliverStream(sockOutput); |
|
2 | 988 |
|
56542 | 989 |
this.isConnected = true; |
2 | 990 |
} |
991 |
||
56542 | 992 |
private void useImplicitHost(boolean useNameService) { |
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
993 |
// Note: If the local name service is not trustworthy, reverse |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
994 |
// host name resolution should not be performed for endpoint |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
995 |
// identification. Use the application original specified |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
996 |
// hostname or IP address instead. |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
997 |
|
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
998 |
// Get the original hostname via jdk.internal.misc.SharedSecrets |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
999 |
InetAddress inetAddress = getInetAddress(); |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1000 |
if (inetAddress == null) { // not connected |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1001 |
return; |
31687 | 1002 |
} |
1003 |
||
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1004 |
JavaNetInetAddressAccess jna = |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1005 |
SharedSecrets.getJavaNetInetAddressAccess(); |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1006 |
String originalHostname = jna.getOriginalHostName(inetAddress); |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1007 |
if ((originalHostname != null) && |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1008 |
(originalHostname.length() != 0)) { |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1009 |
|
56542 | 1010 |
this.peerHost = originalHostname; |
1011 |
if (conContext.sslConfig.serverNames.isEmpty() && |
|
1012 |
!conContext.sslConfig.noSniExtension) { |
|
1013 |
conContext.sslConfig.serverNames = |
|
1014 |
Utilities.addToSNIServerNameList( |
|
1015 |
conContext.sslConfig.serverNames, peerHost); |
|
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1016 |
} |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1017 |
|
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1018 |
return; |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1019 |
} |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1020 |
|
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1021 |
// No explicitly specified hostname, no server name indication. |
56542 | 1022 |
if (!useNameService) { |
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1023 |
// The local name service is not trustworthy, use IP address. |
56542 | 1024 |
this.peerHost = inetAddress.getHostAddress(); |
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1025 |
} else { |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1026 |
// Use the underlying reverse host name resolution service. |
56542 | 1027 |
this.peerHost = getInetAddress().getHostName(); |
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1028 |
} |
31687 | 1029 |
} |
1030 |
||
5162
0dbedf4fdb8c
6614957: HttpsURLConnection not using the set SSLSocketFactory for creating all its Sockets
chegar
parents:
2068
diff
changeset
|
1031 |
// ONLY used by HttpsClient to setup the URI specified hostname |
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
1032 |
// |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
1033 |
// Please NOTE that this method MUST be called before calling to |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
1034 |
// SSLSocket.setSSLParameters(). Otherwise, the {@code host} parameter |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
1035 |
// may override SNIHostName in the customized server name indication. |
32649
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
31918
diff
changeset
|
1036 |
public synchronized void setHost(String host) { |
56542 | 1037 |
this.peerHost = host; |
1038 |
this.conContext.sslConfig.serverNames = |
|
1039 |
Utilities.addToSNIServerNameList( |
|
1040 |
conContext.sslConfig.serverNames, host); |
|
2 | 1041 |
} |
1042 |
||
1043 |
/** |
|
56542 | 1044 |
* Return whether we have reached end-of-file. |
1045 |
* |
|
1046 |
* If the socket is not connected, has been shutdown because of an error |
|
1047 |
* or has been closed, throw an Exception. |
|
2 | 1048 |
*/ |
56542 | 1049 |
synchronized boolean checkEOF() throws IOException { |
1050 |
if (conContext.isClosed()) { |
|
56571 | 1051 |
return true; |
56542 | 1052 |
} else if (conContext.isInputCloseNotified || conContext.isBroken) { |
1053 |
if (conContext.closeReason == null) { |
|
1054 |
return true; |
|
1055 |
} else { |
|
1056 |
throw new SSLException( |
|
1057 |
"Connection has been shutdown: " + conContext.closeReason, |
|
1058 |
conContext.closeReason); |
|
2 | 1059 |
} |
1060 |
} |
|
1061 |
||
56542 | 1062 |
return false; |
7043 | 1063 |
} |
1064 |
||
2 | 1065 |
/** |
56542 | 1066 |
* Check if we can write data to this socket. |
2 | 1067 |
*/ |
56542 | 1068 |
synchronized void checkWrite() throws IOException { |
56750
2b4ae319412b
Enable RSASSA-PSS for TLS 1.2, and socket close checking
xuelei
parents:
56739
diff
changeset
|
1069 |
if (checkEOF() || conContext.isOutboundClosed()) { |
56542 | 1070 |
// we are at EOF, write must throw Exception |
1071 |
throw new SocketException("Connection closed"); |
|
1072 |
} |
|
1073 |
if (!isConnected) { |
|
1074 |
throw new SocketException("Socket is not connected"); |
|
2 | 1075 |
} |
1076 |
} |
|
1077 |
||
1078 |
/** |
|
56542 | 1079 |
* Handle an exception. |
2 | 1080 |
* |
56542 | 1081 |
* This method is called by top level exception handlers (in read(), |
1082 |
* write()) to make sure we always shutdown the connection correctly |
|
1083 |
* and do not pass runtime exception to the application. |
|
2 | 1084 |
* |
56542 | 1085 |
* This method never returns normally, it always throws an IOException. |
2 | 1086 |
*/ |
56542 | 1087 |
private void handleException(Exception cause) throws IOException { |
1088 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
1089 |
SSLLogger.warning("handling exception", cause); |
|
2 | 1090 |
} |
1091 |
||
56542 | 1092 |
// Don't close the Socket in case of timeouts or interrupts. |
1093 |
if (cause instanceof InterruptedIOException) { |
|
1094 |
throw (IOException)cause; |
|
1095 |
} |
|
2 | 1096 |
|
56542 | 1097 |
// need to perform error shutdown |
1098 |
boolean isSSLException = (cause instanceof SSLException); |
|
1099 |
Alert alert; |
|
1100 |
if (isSSLException) { |
|
1101 |
if (cause instanceof SSLHandshakeException) { |
|
1102 |
alert = Alert.HANDSHAKE_FAILURE; |
|
1103 |
} else { |
|
1104 |
alert = Alert.UNEXPECTED_MESSAGE; |
|
2 | 1105 |
} |
56542 | 1106 |
} else { |
1107 |
if (cause instanceof IOException) { |
|
1108 |
alert = Alert.UNEXPECTED_MESSAGE; |
|
1109 |
} else { |
|
1110 |
// RuntimeException |
|
1111 |
alert = Alert.INTERNAL_ERROR; |
|
2 | 1112 |
} |
1113 |
} |
|
56542 | 1114 |
conContext.fatal(alert, cause); |
2 | 1115 |
} |
1116 |
||
56712 | 1117 |
private Plaintext handleEOF(EOFException eofe) throws IOException { |
1118 |
if (requireCloseNotify || conContext.handshakeContext != null) { |
|
1119 |
SSLException ssle; |
|
1120 |
if (conContext.handshakeContext != null) { |
|
1121 |
ssle = new SSLHandshakeException( |
|
1122 |
"Remote host terminated the handshake"); |
|
1123 |
} else { |
|
1124 |
ssle = new SSLProtocolException( |
|
1125 |
"Remote host terminated the connection"); |
|
1126 |
} |
|
1127 |
||
1128 |
if (eofe != null) { |
|
1129 |
ssle.initCause(eofe); |
|
1130 |
} |
|
1131 |
throw ssle; |
|
1132 |
} else { |
|
1133 |
// treat as if we had received a close_notify |
|
1134 |
conContext.isInputCloseNotified = true; |
|
1135 |
conContext.transport.shutdown(); |
|
1136 |
||
1137 |
return Plaintext.PLAINTEXT_NULL; |
|
1138 |
} |
|
1139 |
} |
|
1140 |
||
1141 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1142 |
@Override |
56542 | 1143 |
public String getPeerHost() { |
1144 |
return peerHost; |
|
2 | 1145 |
} |
1146 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1147 |
@Override |
56542 | 1148 |
public int getPeerPort() { |
1149 |
return getPort(); |
|
2 | 1150 |
} |
1151 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1152 |
@Override |
56542 | 1153 |
public boolean useDelegatedTask() { |
1154 |
return false; |
|
2 | 1155 |
} |
1156 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1157 |
@Override |
56542 | 1158 |
public void shutdown() throws IOException { |
1159 |
if (!isClosed()) { |
|
1160 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
1161 |
SSLLogger.fine("close the underlying socket"); |
|
1162 |
} |
|
2 | 1163 |
|
56542 | 1164 |
try { |
1165 |
if (conContext.isInputCloseNotified) { |
|
1166 |
// Close the connection, no wait for more peer response. |
|
1167 |
closeSocket(false); |
|
1168 |
} else { |
|
1169 |
// Close the connection, may wait for peer close_notify. |
|
1170 |
closeSocket(true); |
|
1171 |
} |
|
1172 |
} finally { |
|
1173 |
tlsIsClosed = true; |
|
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
1174 |
} |
7043 | 1175 |
} |
2 | 1176 |
} |
1177 |
} |