/*

 * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package sun.security.ssl;

import java.io.*;

import java.nio.*;

import java.util.*;

import java.security.*;

import javax.crypto.BadPaddingException;

import javax.net.ssl.*;

import javax.net.ssl.SSLEngineResult.*;

/**

 * Implementation of an non-blocking SSLEngine.

 *

 * *Currently*, the SSLEngine code exists in parallel with the current

 * SSLSocket.  As such, the current implementation is using legacy code

 * with many of the same abstractions.  However, it varies in many

 * areas, most dramatically in the IO handling.

 *

 * There are three main I/O threads that can be existing in parallel:

 * wrap(), unwrap(), and beginHandshake().  We are encouraging users to

 * not call multiple instances of wrap or unwrap, because the data could

 * appear to flow out of the SSLEngine in a non-sequential order.  We

 * take all steps we can to at least make sure the ordering remains

 * consistent, but once the calls returns, anything can happen.  For

 * example, thread1 and thread2 both call wrap, thread1 gets the first

 * packet, thread2 gets the second packet, but thread2 gets control back

 * before thread1, and sends the data.  The receiving side would see an

 * out-of-order error.

 *

 * @author Brad Wetmore

 */

    //

    // Fields and global comments

    //

    /*

     * There's a state machine associated with each connection, which

     * among other roles serves to negotiate session changes.

     *

     * - START with constructor, until the TCP connection's around.

     * - HANDSHAKE picks session parameters before allowing traffic.

     *          There are many substates due to sequencing requirements

     *          for handshake messages.

     * - DATA may be transmitted.

     * - RENEGOTIATE state allows concurrent data and handshaking

     *          traffic ("same" substates as HANDSHAKE), and terminates

     *          in selection of new session (and connection) parameters

     * - ERROR state immediately precedes abortive disconnect.

     * - CLOSED when one side closes down, used to start the shutdown

     *          process.  SSL connection objects are not reused.

     *

     * State affects what SSL record types may legally be sent:

     *

     * - Handshake ... only in HANDSHAKE and RENEGOTIATE states

     * - App Data ... only in DATA and RENEGOTIATE states

     * - Alert ... in HANDSHAKE, DATA, RENEGOTIATE

     *

     * Re what may be received:  same as what may be sent, except that

     * HandshakeRequest handshaking messages can come from servers even

     * in the application data state, to request entry to RENEGOTIATE.

     *

     * The state machine within HANDSHAKE and RENEGOTIATE states controls

     * the pending session, not the connection state, until the change

     * cipher spec and "Finished" handshake messages are processed and

     * make the "new" session become the current one.

     *

     * NOTE: details of the SMs always need to be nailed down better.

     * The text above illustrates the core ideas.

     *

     *                +---->-------+------>--------->-------+

     *                |            |                        |

     *     <-----<    ^            ^  <-----<               |

     *START>----->HANDSHAKE>----->DATA>----->RENEGOTIATE    |

     *                v            v               v        |

     *                |            |               |        |

     *                +------------+---------------+        |

     *                |                                     |

     *                v                                     |

     *               ERROR>------>----->CLOSED<--------<----+

     *

     * ALSO, note that the purpose of handshaking (renegotiation is

     * included) is to assign a different, and perhaps new, session to

     * the connection.  The SSLv3 spec is a bit confusing on that new

     * protocol feature.

     */

    private int                 connectionState;

    private static final int    cs_START = 0;

    private static final int    cs_HANDSHAKE = 1;

    private static final int    cs_DATA = 2;

    private static final int    cs_RENEGOTIATE = 3;

    private static final int    cs_ERROR = 4;

    private static final int    cs_CLOSED = 6;

    /*

     * Once we're in state cs_CLOSED, we can continue to

     * wrap/unwrap until we finish sending/receiving the messages

     * for close_notify.

     */

    private boolean             inboundDone = false;

    private boolean             outboundDone = false;

    /*

     * The authentication context holds all information used to establish

     * who this end of the connection is (certificate chains, private keys,

     * etc) and who is trusted (e.g. as CAs or websites).

     */

    private SSLContextImpl      sslContext;

    /*

     * This connection is one of (potentially) many associated with

     * any given session.  The output of the handshake protocol is a

     * new session ... although all the protocol description talks

     * about changing the cipher spec (and it does change), in fact

     * that's incidental since it's done by changing everything that

     * is associated with a session at the same time.  (TLS/IETF may

     * change that to add client authentication w/o new key exchg.)

     */

    private Handshaker                  handshaker;

    private SSLSessionImpl              sess;

    private volatile SSLSessionImpl     handshakeSession;

    /*

     * Flag indicating if the next record we receive MUST be a Finished

     * message. Temporarily set during the handshake to ensure that

     * a change cipher spec message is followed by a finished message.

     */

    private boolean             expectingFinished;

    /*

     * If someone tries to closeInbound() (say at End-Of-Stream)

     * our engine having received a close_notify, we need to

     * notify the app that we may have a truncation attack underway.

     */

    private boolean             recvCN;

    /*

     * For improved diagnostics, we detail connection closure

     * If the engine is closed (connectionState >= cs_ERROR),

     * closeReason != null indicates if the engine was closed

     * because of an error or because or normal shutdown.

     */

    private SSLException        closeReason;

    /*

     * Per-connection private state that doesn't change when the

     * session is changed.

     */

    private ClientAuthType          doClientAuth =

                                            ClientAuthType.CLIENT_AUTH_NONE;

    private boolean                 enableSessionCreation = true;

    InputRecord                     inputRecord;

    OutputRecord                    outputRecord;

    private AccessControlContext    acc;

    // The cipher suites enabled for use on this connection.

    private CipherSuiteList             enabledCipherSuites;

    // the endpoint identification protocol

    private String                      identificationProtocol = null;

    // The cryptographic algorithm constraints

    private AlgorithmConstraints        algorithmConstraints = null;

    // The server name indication and matchers

    List<SNIServerName>         serverNames =

                                    Collections.<SNIServerName>emptyList();

    Collection<SNIMatcher>      sniMatchers =

                                    Collections.<SNIMatcher>emptyList();

    // Have we been told whether we're client or server?

    private boolean                     serverModeSet = false;

    private boolean                     roleIsServer;

    /*

     * The protocol versions enabled for use on this connection.

     *

     * Note: we support a pseudo protocol called SSLv2Hello which when

     * set will result in an SSL v2 Hello being sent with SSL (version 3.0)

     * or TLS (version 3.1, 3.2, etc.) version info.

     */

    private ProtocolList        enabledProtocols;

    /*

     * The SSL version associated with this connection.

     */

    private ProtocolVersion     protocolVersion;

    /*

     * security parameters for secure renegotiation.

     */

    private boolean             secureRenegotiation;

    private byte[]              clientVerifyData;

    private byte[]              serverVerifyData;

    /*

     * READ ME * READ ME * READ ME * READ ME * READ ME * READ ME *

     * IMPORTANT STUFF TO UNDERSTANDING THE SYNCHRONIZATION ISSUES.

     * READ ME * READ ME * READ ME * READ ME * READ ME * READ ME *

     *

     * There are several locks here.

     *

     * The primary lock is the per-instance lock used by

     * synchronized(this) and the synchronized methods.  It controls all

     * access to things such as the connection state and variables which

     * affect handshaking.  If we are inside a synchronized method, we

     * can access the state directly, otherwise, we must use the

     * synchronized equivalents.

     *

     * Note that we must never acquire the <code>this</code> lock after

     * <code>writeLock</code> or run the risk of deadlock.

     *

     * Grab some coffee, and be careful with any code changes.

     */

    private Object              wrapLock;

    private Object              unwrapLock;

    Object                      writeLock;

    /*

     * Whether local cipher suites preference in server side should be

     * honored during handshaking?

     */

    private boolean preferLocalCipherSuites = false;

    /*

     * whether DTLS handshake retransmissions should be enabled?

     */

    private boolean enableRetransmissions = false;

    /*

     * The maximum expected network packet size for SSL/TLS/DTLS records.

     */

    private int maximumPacketSize = 0;

    /*

     * Is this an instance for Datagram Transport Layer Security (DTLS)?

     */

    private final boolean isDTLS;

    /*

     * Class and subclass dynamic debugging support

     */

    private static final Debug debug = Debug.getInstance("ssl");

    //

    // Initialization/Constructors

    //

    /**

     * Constructor for an SSLEngine from SSLContext, without

     * host/port hints.  This Engine will not be able to cache

     * sessions, but must renegotiate everything by hand.

     */

    SSLEngineImpl(SSLContextImpl ctx, boolean isDTLS) {

        super();

        this.isDTLS = isDTLS;

        init(ctx, isDTLS);

    }

    /**

     * Constructor for an SSLEngine from SSLContext.

     */

    SSLEngineImpl(SSLContextImpl ctx, String host, int port, boolean isDTLS) {

        super(host, port);

        this.isDTLS = isDTLS;

        init(ctx, isDTLS);

    }

    /**

     * Initializes the Engine

     */

    private void init(SSLContextImpl ctx, boolean isDTLS) {

        if (debug != null && Debug.isOn("ssl")) {

            System.out.println("Using SSLEngineImpl.");

        }

        sslContext = ctx;

        sess = SSLSessionImpl.nullSession;

        handshakeSession = null;

        protocolVersion = isDTLS ?

                ProtocolVersion.DEFAULT_DTLS : ProtocolVersion.DEFAULT_TLS;

        /*

         * State is cs_START until we initialize the handshaker.

         *

         * Apps using SSLEngine are probably going to be server.

         * Somewhat arbitrary choice.

         */

        roleIsServer = true;

        connectionState = cs_START;

        // default server name indication

        serverNames =

            Utilities.addToSNIServerNameList(serverNames, getPeerHost());

        // default security parameters for secure renegotiation

        secureRenegotiation = false;

        clientVerifyData = new byte[0];

        serverVerifyData = new byte[0];

        enabledCipherSuites =

                sslContext.getDefaultCipherSuiteList(roleIsServer);

        enabledProtocols =

                sslContext.getDefaultProtocolList(roleIsServer);

        wrapLock = new Object();

        unwrapLock = new Object();

        writeLock = new Object();

        /*

         * Save the Access Control Context.  This will be used later

         * for a couple of things, including providing a context to

         * run tasks in, and for determining which credentials

         * to use for Subject based (JAAS) decisions

         */

        acc = AccessController.getContext();

        /*

         * All outbound application data goes through this OutputRecord,

         * other data goes through their respective records created

         * elsewhere.  All inbound data goes through this one

         * input record.

         */

        if (isDTLS) {

            enableRetransmissions = true;

            // SSLEngine needs no record local buffer

            outputRecord = new DTLSOutputRecord();

            inputRecord = new DTLSInputRecord();

        } else {

            outputRecord = new SSLEngineOutputRecord();

            inputRecord = new SSLEngineInputRecord();

        }

        maximumPacketSize = outputRecord.getMaxPacketSize();

    }

    /**

     * Initialize the handshaker object. This means:

     *

     *  . if a handshake is already in progress (state is cs_HANDSHAKE

     *    or cs_RENEGOTIATE), do nothing and return

     *

     *  . if the engine is already closed, throw an Exception (internal error)

     *

     *  . otherwise (cs_START or cs_DATA), create the appropriate handshaker

     *    object and advance the connection state (to cs_HANDSHAKE or

     *    cs_RENEGOTIATE, respectively).

     *

     * This method is called right after a new engine is created, when

     * starting renegotiation, or when changing client/server mode of the

     * engine.

     */

    private void initHandshaker() {

        switch (connectionState) {

        //

        // Starting a new handshake.

        //

        case cs_START:

        case cs_DATA:

            break;

        //

        // We're already in the middle of a handshake.

        //

        case cs_HANDSHAKE:

        case cs_RENEGOTIATE:

            return;

        //

        // Anyone allowed to call this routine is required to

        // do so ONLY if the connection state is reasonable...

        //

        default:

            throw new IllegalStateException("Internal error");

        }

        // state is either cs_START or cs_DATA

        if (connectionState == cs_START) {

            connectionState = cs_HANDSHAKE;

        } else { // cs_DATA

            connectionState = cs_RENEGOTIATE;

        }

        if (roleIsServer) {

            handshaker = new ServerHandshaker(this, sslContext,

                    enabledProtocols, doClientAuth,

                    protocolVersion, connectionState == cs_HANDSHAKE,

                    secureRenegotiation, clientVerifyData, serverVerifyData,

                    isDTLS);

            handshaker.setSNIMatchers(sniMatchers);

            handshaker.setUseCipherSuitesOrder(preferLocalCipherSuites);

        } else {

            handshaker = new ClientHandshaker(this, sslContext,

                    enabledProtocols,

                    protocolVersion, connectionState == cs_HANDSHAKE,

                    secureRenegotiation, clientVerifyData, serverVerifyData,

                    isDTLS);

            handshaker.setSNIServerNames(serverNames);

        }

        handshaker.setMaximumPacketSize(maximumPacketSize);

        handshaker.setEnabledCipherSuites(enabledCipherSuites);

        handshaker.setEnableSessionCreation(enableSessionCreation);

        outputRecord.initHandshaker();

    }

    /*

     * Report the current status of the Handshaker

     */

    private HandshakeStatus getHSStatus(HandshakeStatus hss) {

        if (hss != null) {

            return hss;

        }

        synchronized (this) {

            if (!outputRecord.isEmpty()) {

                // If no handshaking, special case to wrap alters.

                return HandshakeStatus.NEED_WRAP;

            } else if (handshaker != null) {

                if (handshaker.taskOutstanding()) {

                    return HandshakeStatus.NEED_TASK;

                } else if (isDTLS && !inputRecord.isEmpty()) {

                    return HandshakeStatus.NEED_UNWRAP_AGAIN;

                } else {

                    return HandshakeStatus.NEED_UNWRAP;

                }

            } else if (connectionState == cs_CLOSED) {

                /*

                 * Special case where we're closing, but

                 * still need the close_notify before we

                 * can officially be closed.

                 *

                 * Note isOutboundDone is taken care of by

                 * hasOutboundData() above.

                 */

                if (!isInboundDone()) {

                    return HandshakeStatus.NEED_UNWRAP;

                } // else not handshaking

            }

            return HandshakeStatus.NOT_HANDSHAKING;

        }

    }

        if (handshaker != null) {

            handshaker.checkThrown();

        }

    }

    //

    // Handshaking and connection state code

    //

    /*

     * Provides "this" synchronization for connection state.

     * Otherwise, you can access it directly.

     */

        return connectionState;

    }

        connectionState = state;

    }

    /*

     * Get the Access Control Context.

     *

     * Used for a known context to

     * run tasks in, and for determining which credentials

     * to use for Subject-based (JAAS) decisions.

     */

    AccessControlContext getAcc() {

        return acc;

    }

    /*

     * Is a handshake currently underway?

     */

    @Override