author | wetmore |
Fri, 11 May 2018 15:53:12 -0700 | |
branch | JDK-8145252-TLS13-branch |
changeset 56542 | 56aaa6cb3693 |
parent 47271 | dc9b1da1314b |
child 56571 | 9dfdc35eb270 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
56542 | 2 |
* Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.security.ssl; |
|
27 |
||
56542 | 28 |
import java.io.IOException; |
29 |
import java.io.InputStream; |
|
30 |
import java.io.InterruptedIOException; |
|
31 |
import java.io.OutputStream; |
|
32 |
import java.net.InetAddress; |
|
33 |
import java.net.InetSocketAddress; |
|
34 |
import java.net.Socket; |
|
35 |
import java.net.SocketAddress; |
|
36 |
import java.net.SocketException; |
|
37 |
import java.net.UnknownHostException; |
|
38 |
import java.nio.ByteBuffer; |
|
39 |
import java.util.List; |
|
42706
796cf076d69b
8170282: Enable ALPN parameters to be supplied during the TLS handshake
vinnie
parents:
38865
diff
changeset
|
40 |
import java.util.function.BiFunction; |
56542 | 41 |
import javax.net.ssl.HandshakeCompletedListener; |
42 |
import javax.net.ssl.SSLException; |
|
43 |
import javax.net.ssl.SSLHandshakeException; |
|
44 |
import javax.net.ssl.SSLParameters; |
|
45 |
import javax.net.ssl.SSLProtocolException; |
|
46 |
import javax.net.ssl.SSLServerSocket; |
|
47 |
import javax.net.ssl.SSLSession; |
|
48 |
import javax.net.ssl.SSLSocket; |
|
32834
e1dca5fe4de3
8137056: Move SharedSecrets and interface friends out of sun.misc
chegar
parents:
32649
diff
changeset
|
49 |
import jdk.internal.misc.JavaNetInetAddressAccess; |
e1dca5fe4de3
8137056: Move SharedSecrets and interface friends out of sun.misc
chegar
parents:
32649
diff
changeset
|
50 |
import jdk.internal.misc.SharedSecrets; |
31687 | 51 |
|
2 | 52 |
/** |
56542 | 53 |
* Implementation of an SSL socket. |
54 |
* <P> |
|
55 |
* This is a normal connection type socket, implementing SSL over some lower |
|
56 |
* level socket, such as TCP. Because it is layered over some lower level |
|
57 |
* socket, it MUST override all default socket methods. |
|
58 |
* <P> |
|
59 |
* This API offers a non-traditional option for establishing SSL |
|
2 | 60 |
* connections. You may first establish the connection directly, then pass |
61 |
* that connection to the SSL socket constructor with a flag saying which |
|
62 |
* role should be taken in the handshake protocol. (The two ends of the |
|
63 |
* connection must not choose the same role!) This allows setup of SSL |
|
64 |
* proxying or tunneling, and also allows the kind of "role reversal" |
|
65 |
* that is required for most FTP data transfers. |
|
66 |
* |
|
67 |
* @see javax.net.ssl.SSLSocket |
|
68 |
* @see SSLServerSocket |
|
69 |
* |
|
70 |
* @author David Brownell |
|
71 |
*/ |
|
56542 | 72 |
public final class SSLSocketImpl |
73 |
extends BaseSSLSocketImpl implements SSLTransport { |
|
2 | 74 |
|
56542 | 75 |
final SSLContextImpl sslContext; |
76 |
final TransportContext conContext; |
|
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
32834
diff
changeset
|
77 |
|
56542 | 78 |
private final AppInputStream appInput = new AppInputStream(); |
79 |
private final AppOutputStream appOutput = new AppOutputStream(); |
|
2 | 80 |
|
56542 | 81 |
private String peerHost; |
82 |
private boolean autoClose; |
|
83 |
private boolean isConnected = false; |
|
84 |
private boolean tlsIsClosed = false; |
|
30904 | 85 |
|
31687 | 86 |
/* |
87 |
* Is the local name service trustworthy? |
|
88 |
* |
|
89 |
* If the local name service is not trustworthy, reverse host name |
|
90 |
* resolution should not be performed for endpoint identification. |
|
91 |
*/ |
|
92 |
static final boolean trustNameService = |
|
56542 | 93 |
Utilities.getBooleanProperty("jdk.tls.trustNameService", false); |
31687 | 94 |
|
56542 | 95 |
/** |
96 |
* Package-private constructor used to instantiate an unconnected |
|
97 |
* socket. |
|
98 |
* |
|
99 |
* This instance is meant to set handshake state to use "client mode". |
|
100 |
*/ |
|
101 |
SSLSocketImpl(SSLContextImpl sslContext) { |
|
102 |
super(); |
|
103 |
this.sslContext = sslContext; |
|
104 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
105 |
this.conContext = new TransportContext(sslContext, this, |
|
106 |
new SSLSocketInputRecord(handshakeHash), |
|
107 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
108 |
} |
|
2 | 109 |
|
110 |
/** |
|
56542 | 111 |
* Package-private constructor used to instantiate a server socket. |
2 | 112 |
* |
56542 | 113 |
* This instance is meant to set handshake state to use "server mode". |
2 | 114 |
*/ |
56542 | 115 |
SSLSocketImpl(SSLContextImpl sslContext, SSLConfiguration sslConfig) { |
2 | 116 |
super(); |
56542 | 117 |
this.sslContext = sslContext; |
118 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
119 |
this.conContext = new TransportContext(sslContext, this, sslConfig, |
|
120 |
new SSLSocketInputRecord(handshakeHash), |
|
121 |
new SSLSocketOutputRecord(handshakeHash)); |
|
2 | 122 |
} |
123 |
||
124 |
/** |
|
56542 | 125 |
* Constructs an SSL connection to a named host at a specified |
126 |
* port, using the authentication context provided. |
|
2 | 127 |
* |
56542 | 128 |
* This endpoint acts as the client, and may rejoin an existing SSL session |
129 |
* if appropriate. |
|
2 | 130 |
*/ |
56542 | 131 |
SSLSocketImpl(SSLContextImpl sslContext, String peerHost, |
132 |
int peerPort) throws IOException, UnknownHostException { |
|
2 | 133 |
super(); |
56542 | 134 |
this.sslContext = sslContext; |
135 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
136 |
this.conContext = new TransportContext(sslContext, this, |
|
137 |
new SSLSocketInputRecord(handshakeHash), |
|
138 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
139 |
this.peerHost = peerHost; |
|
140 |
SocketAddress socketAddress = |
|
141 |
peerHost != null ? new InetSocketAddress(peerHost, peerPort) : |
|
142 |
new InetSocketAddress(InetAddress.getByName(null), peerPort); |
|
2 | 143 |
connect(socketAddress, 0); |
144 |
} |
|
145 |
||
146 |
/** |
|
56542 | 147 |
* Constructs an SSL connection to a server at a specified |
148 |
* address, and TCP port, using the authentication context |
|
149 |
* provided. |
|
2 | 150 |
* |
56542 | 151 |
* This endpoint acts as the client, and may rejoin an existing SSL |
152 |
* session if appropriate. |
|
2 | 153 |
*/ |
56542 | 154 |
SSLSocketImpl(SSLContextImpl sslContext, |
155 |
InetAddress address, int peerPort) throws IOException { |
|
2 | 156 |
super(); |
56542 | 157 |
this.sslContext = sslContext; |
158 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
159 |
this.conContext = new TransportContext(sslContext, this, |
|
160 |
new SSLSocketInputRecord(handshakeHash), |
|
161 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
2 | 162 |
|
56542 | 163 |
SocketAddress socketAddress = new InetSocketAddress(address, peerPort); |
2 | 164 |
connect(socketAddress, 0); |
165 |
} |
|
166 |
||
56542 | 167 |
/** |
168 |
* Constructs an SSL connection to a named host at a specified |
|
169 |
* port, using the authentication context provided. |
|
170 |
* |
|
171 |
* This endpoint acts as the client, and may rejoin an existing SSL |
|
172 |
* session if appropriate. |
|
2 | 173 |
*/ |
56542 | 174 |
SSLSocketImpl(SSLContextImpl sslContext, |
175 |
String peerHost, int peerPort, InetAddress localAddr, |
|
176 |
int localPort) throws IOException, UnknownHostException { |
|
2 | 177 |
super(); |
56542 | 178 |
this.sslContext = sslContext; |
179 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
180 |
this.conContext = new TransportContext(sslContext, this, |
|
181 |
new SSLSocketInputRecord(handshakeHash), |
|
182 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
183 |
this.peerHost = peerHost; |
|
2 | 184 |
|
56542 | 185 |
bind(new InetSocketAddress(localAddr, localPort)); |
186 |
SocketAddress socketAddress = |
|
187 |
peerHost != null ? new InetSocketAddress(peerHost, peerPort) : |
|
188 |
new InetSocketAddress(InetAddress.getByName(null), peerPort); |
|
189 |
connect(socketAddress, 0); |
|
2 | 190 |
} |
191 |
||
192 |
/** |
|
56542 | 193 |
* Constructs an SSL connection to a server at a specified |
194 |
* address, and TCP port, using the authentication context |
|
195 |
* provided. |
|
2 | 196 |
* |
56542 | 197 |
* This endpoint acts as the client, and may rejoin an existing SSL |
198 |
* session if appropriate. |
|
2 | 199 |
*/ |
56542 | 200 |
SSLSocketImpl(SSLContextImpl sslContext, |
201 |
InetAddress peerAddr, int peerPort, |
|
202 |
InetAddress localAddr, int localPort) throws IOException { |
|
203 |
super(); |
|
204 |
this.sslContext = sslContext; |
|
205 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
206 |
this.conContext = new TransportContext(sslContext, this, |
|
207 |
new SSLSocketInputRecord(handshakeHash), |
|
208 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
209 |
||
210 |
bind(new InetSocketAddress(localAddr, localPort)); |
|
211 |
SocketAddress socketAddress = new InetSocketAddress(peerAddr, peerPort); |
|
212 |
connect(socketAddress, 0); |
|
2 | 213 |
} |
214 |
||
215 |
/** |
|
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
216 |
* Creates a server mode {@link Socket} layered over an |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
217 |
* existing connected socket, and is able to read data which has |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
218 |
* already been consumed/removed from the {@link Socket}'s |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
219 |
* underlying {@link InputStream}. |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
220 |
*/ |
56542 | 221 |
SSLSocketImpl(SSLContextImpl sslContext, Socket sock, |
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
222 |
InputStream consumed, boolean autoClose) throws IOException { |
56542 | 223 |
|
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
224 |
super(sock, consumed); |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
225 |
// We always layer over a connected socket |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
226 |
if (!sock.isConnected()) { |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
227 |
throw new SocketException("Underlying socket is not connected"); |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
228 |
} |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
229 |
|
56542 | 230 |
this.sslContext = sslContext; |
231 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
232 |
this.conContext = new TransportContext(sslContext, this, |
|
233 |
new SSLSocketInputRecord(handshakeHash), |
|
234 |
new SSLSocketOutputRecord(handshakeHash), false); |
|
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
235 |
this.autoClose = autoClose; |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
236 |
doneConnect(); |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
237 |
} |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
238 |
|
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
239 |
/** |
56542 | 240 |
* Layer SSL traffic over an existing connection, rather than |
241 |
* creating a new connection. |
|
242 |
* |
|
243 |
* The existing connection may be used only for SSL traffic (using this |
|
244 |
* SSLSocket) until the SSLSocket.close() call returns. However, if a |
|
245 |
* protocol error is detected, that existing connection is automatically |
|
246 |
* closed. |
|
247 |
* <p> |
|
248 |
* This particular constructor always uses the socket in the |
|
249 |
* role of an SSL client. It may be useful in cases which start |
|
250 |
* using SSL after some initial data transfers, for example in some |
|
251 |
* SSL tunneling applications or as part of some kinds of application |
|
252 |
* protocols which negotiate use of a SSL based security. |
|
2 | 253 |
*/ |
56542 | 254 |
SSLSocketImpl(SSLContextImpl sslContext, Socket sock, |
255 |
String peerHost, int port, boolean autoClose) throws IOException { |
|
256 |
super(sock); |
|
257 |
// We always layer over a connected socket |
|
258 |
if (!sock.isConnected()) { |
|
259 |
throw new SocketException("Underlying socket is not connected"); |
|
260 |
} |
|
2 | 261 |
|
56542 | 262 |
this.sslContext = sslContext; |
263 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
264 |
this.conContext = new TransportContext(sslContext, this, |
|
265 |
new SSLSocketInputRecord(handshakeHash), |
|
266 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
267 |
this.peerHost = peerHost; |
|
268 |
this.autoClose = autoClose; |
|
269 |
doneConnect(); |
|
2 | 270 |
} |
271 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
272 |
@Override |
56542 | 273 |
public void connect(SocketAddress endpoint, |
274 |
int timeout) throws IOException { |
|
2 | 275 |
|
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
276 |
if (isLayered()) { |
2 | 277 |
throw new SocketException("Already connected"); |
278 |
} |
|
279 |
||
280 |
if (!(endpoint instanceof InetSocketAddress)) { |
|
281 |
throw new SocketException( |
|
56542 | 282 |
"Cannot handle non-Inet socket addresses."); |
2 | 283 |
} |
284 |
||
285 |
super.connect(endpoint, timeout); |
|
286 |
doneConnect(); |
|
287 |
} |
|
288 |
||
56542 | 289 |
@Override |
290 |
public String[] getSupportedCipherSuites() { |
|
291 |
return CipherSuite.namesOf(sslContext.getSupportedCipherSuites()); |
|
292 |
} |
|
293 |
||
294 |
@Override |
|
295 |
public synchronized String[] getEnabledCipherSuites() { |
|
296 |
return CipherSuite.namesOf(conContext.sslConfig.enabledCipherSuites); |
|
297 |
} |
|
298 |
||
299 |
@Override |
|
300 |
public synchronized void setEnabledCipherSuites(String[] suites) { |
|
301 |
if (suites == null) { |
|
302 |
throw new IllegalArgumentException("CipherSuites cannot be null"); |
|
303 |
} |
|
304 |
||
305 |
conContext.sslConfig.enabledCipherSuites = |
|
306 |
CipherSuite.validValuesOf(suites); |
|
307 |
} |
|
308 |
||
309 |
@Override |
|
310 |
public String[] getSupportedProtocols() { |
|
311 |
return ProtocolVersion.toStringArray( |
|
312 |
sslContext.getSuportedProtocolVersions()); |
|
313 |
} |
|
314 |
||
315 |
@Override |
|
316 |
public synchronized String[] getEnabledProtocols() { |
|
317 |
return ProtocolVersion.toStringArray( |
|
318 |
conContext.sslConfig.enabledProtocols); |
|
319 |
} |
|
320 |
||
321 |
@Override |
|
322 |
public synchronized void setEnabledProtocols(String[] protocols) { |
|
323 |
if (protocols == null) { |
|
324 |
throw new IllegalArgumentException("Protocols cannot be null"); |
|
325 |
} |
|
326 |
||
327 |
conContext.sslConfig.enabledProtocols = |
|
328 |
ProtocolVersion.namesOf(protocols); |
|
329 |
} |
|
2 | 330 |
|
56542 | 331 |
@Override |
332 |
public synchronized SSLSession getSession() { |
|
333 |
try { |
|
334 |
// start handshaking, if failed, the connection will be closed. |
|
335 |
ensureNegotiated(); |
|
336 |
} catch (IOException ioe) { |
|
337 |
if (SSLLogger.isOn && SSLLogger.isOn("handshake")) { |
|
338 |
SSLLogger.severe("handshake failed", ioe); |
|
339 |
} |
|
340 |
||
341 |
return SSLSessionImpl.nullSession; |
|
342 |
} |
|
343 |
||
344 |
return conContext.conSession; |
|
345 |
} |
|
346 |
||
347 |
@Override |
|
348 |
public synchronized SSLSession getHandshakeSession() { |
|
349 |
if (conContext.handshakeContext != null) { |
|
350 |
return conContext.handshakeContext.handshakeSession; |
|
351 |
} |
|
30904 | 352 |
|
56542 | 353 |
return null; |
354 |
} |
|
355 |
||
356 |
@Override |
|
357 |
public synchronized void addHandshakeCompletedListener( |
|
358 |
HandshakeCompletedListener listener) { |
|
359 |
if (listener == null) { |
|
360 |
throw new IllegalArgumentException("listener is null"); |
|
361 |
} |
|
362 |
||
363 |
conContext.sslConfig.addHandshakeCompletedListener(listener); |
|
364 |
} |
|
365 |
||
366 |
@Override |
|
367 |
public synchronized void removeHandshakeCompletedListener( |
|
368 |
HandshakeCompletedListener listener) { |
|
369 |
if (listener == null) { |
|
370 |
throw new IllegalArgumentException("listener is null"); |
|
371 |
} |
|
372 |
||
373 |
conContext.sslConfig.removeHandshakeCompletedListener(listener); |
|
2 | 374 |
} |
375 |
||
56542 | 376 |
@Override |
377 |
public synchronized void startHandshake() throws IOException { |
|
378 |
checkWrite(); |
|
379 |
try { |
|
380 |
conContext.kickstart(); |
|
381 |
||
382 |
// All initial handshaking goes through this operation until we |
|
383 |
// have a valid SSL connection. |
|
384 |
// |
|
385 |
// Handle handshake messages only, need no application data. |
|
386 |
if (!conContext.isNegotiated) { |
|
387 |
readRecord(); |
|
388 |
} |
|
389 |
} catch (IOException ioe) { |
|
390 |
conContext.fatal(Alert.HANDSHAKE_FAILURE, |
|
391 |
"Couldn't kickstart handshaking", ioe); |
|
392 |
} catch (Exception oe) { // including RuntimeException |
|
393 |
handleException(oe); |
|
394 |
} |
|
395 |
} |
|
396 |
||
397 |
@Override |
|
398 |
public synchronized void setUseClientMode(boolean mode) { |
|
399 |
conContext.setUseClientMode(mode); |
|
400 |
} |
|
401 |
||
402 |
@Override |
|
403 |
public synchronized boolean getUseClientMode() { |
|
404 |
return conContext.sslConfig.isClientMode; |
|
405 |
} |
|
406 |
||
407 |
@Override |
|
408 |
public synchronized void setNeedClientAuth(boolean need) { |
|
409 |
conContext.sslConfig.clientAuthType = |
|
410 |
(need ? ClientAuthType.CLIENT_AUTH_REQUIRED : |
|
411 |
ClientAuthType.CLIENT_AUTH_NONE); |
|
412 |
} |
|
413 |
||
414 |
@Override |
|
415 |
public synchronized boolean getNeedClientAuth() { |
|
416 |
return (conContext.sslConfig.clientAuthType == |
|
417 |
ClientAuthType.CLIENT_AUTH_REQUIRED); |
|
418 |
} |
|
419 |
||
420 |
@Override |
|
421 |
public synchronized void setWantClientAuth(boolean want) { |
|
422 |
conContext.sslConfig.clientAuthType = |
|
423 |
(want ? ClientAuthType.CLIENT_AUTH_REQUESTED : |
|
424 |
ClientAuthType.CLIENT_AUTH_NONE); |
|
2 | 425 |
} |
426 |
||
56542 | 427 |
@Override |
428 |
public synchronized boolean getWantClientAuth() { |
|
429 |
return (conContext.sslConfig.clientAuthType == |
|
430 |
ClientAuthType.CLIENT_AUTH_REQUESTED); |
|
431 |
} |
|
432 |
||
433 |
@Override |
|
434 |
public synchronized void setEnableSessionCreation(boolean flag) { |
|
435 |
conContext.sslConfig.enableSessionCreation = flag; |
|
436 |
} |
|
437 |
||
438 |
@Override |
|
439 |
public synchronized boolean getEnableSessionCreation() { |
|
440 |
return conContext.sslConfig.enableSessionCreation; |
|
441 |
} |
|
442 |
||
443 |
@Override |
|
444 |
public synchronized boolean isClosed() { |
|
445 |
return tlsIsClosed && conContext.isClosed(); |
|
2 | 446 |
} |
447 |
||
56542 | 448 |
@Override |
449 |
public synchronized void close() throws IOException { |
|
450 |
try { |
|
451 |
conContext.close(); |
|
452 |
} catch (IOException ioe) { |
|
453 |
// ignore the exception |
|
454 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
455 |
SSLLogger.warning("connection context closure failed", ioe); |
|
456 |
} |
|
457 |
} finally { |
|
458 |
tlsIsClosed = true; |
|
459 |
} |
|
460 |
} |
|
461 |
||
462 |
@Override |
|
463 |
public synchronized InputStream getInputStream() throws IOException { |
|
464 |
if (isClosed() || conContext.isInboundDone()) { |
|
465 |
throw new SocketException("Socket or inbound is closed"); |
|
466 |
} |
|
467 |
||
468 |
if (!isConnected) { |
|
469 |
throw new SocketException("Socket is not connected"); |
|
470 |
} |
|
471 |
||
472 |
return appInput; |
|
473 |
} |
|
474 |
||
475 |
private synchronized void ensureNegotiated() throws IOException { |
|
476 |
if (conContext.isNegotiated || conContext.isClosed()) { |
|
477 |
return; |
|
478 |
} |
|
479 |
||
480 |
startHandshake(); |
|
2 | 481 |
} |
482 |
||
56542 | 483 |
private class AppInputStream extends InputStream { |
484 |
// One element array used to implement the single byte read() method |
|
485 |
private final byte[] oneByte = new byte[1]; |
|
486 |
||
487 |
// the temporary buffer used to read network |
|
488 |
private ByteBuffer buffer; |
|
489 |
||
490 |
// Is application data available in the stream? |
|
491 |
private boolean appDataIsAvailable; |
|
492 |
||
493 |
AppInputStream() { |
|
494 |
this.appDataIsAvailable = false; |
|
495 |
this.buffer = ByteBuffer.allocate(4096); |
|
496 |
} |
|
2 | 497 |
|
56542 | 498 |
/** |
499 |
* Return the minimum number of bytes that can be read |
|
500 |
* without blocking. |
|
2 | 501 |
*/ |
56542 | 502 |
@Override |
503 |
public int available() throws IOException { |
|
504 |
// Currently not synchronized. |
|
505 |
if ((!appDataIsAvailable) || checkEOF()) { |
|
506 |
return 0; |
|
507 |
} |
|
508 |
||
509 |
return buffer.remaining(); |
|
510 |
} |
|
511 |
||
512 |
/** |
|
513 |
* Read a single byte, returning -1 on non-fault EOF status. |
|
514 |
*/ |
|
515 |
@Override |
|
516 |
public synchronized int read() throws IOException { |
|
517 |
int n = read(oneByte, 0, 1); |
|
518 |
if (n <= 0) { // EOF |
|
519 |
return -1; |
|
520 |
} |
|
521 |
||
522 |
return oneByte[0] & 0xFF; |
|
523 |
} |
|
2 | 524 |
|
56542 | 525 |
/** |
526 |
* Reads up to {@code len} bytes of data from the input stream |
|
527 |
* into an array of bytes. |
|
528 |
* |
|
529 |
* An attempt is made to read as many as {@code len} bytes, but a |
|
530 |
* smaller number may be read. The number of bytes actually read |
|
531 |
* is returned as an integer. |
|
532 |
* |
|
533 |
* If the layer above needs more data, it asks for more, so we |
|
534 |
* are responsible only for blocking to fill at most one buffer, |
|
535 |
* and returning "-1" on non-fault EOF status. |
|
536 |
*/ |
|
537 |
@Override |
|
538 |
public synchronized int read(byte[] b, int off, int len) |
|
539 |
throws IOException { |
|
540 |
if (b == null) { |
|
541 |
throw new NullPointerException("the target buffer is null"); |
|
542 |
} else if (off < 0 || len < 0 || len > b.length - off) { |
|
543 |
throw new IndexOutOfBoundsException( |
|
544 |
"buffer length: " + b.length + ", offset; " + off + |
|
545 |
", bytes to read:" + len); |
|
546 |
} else if (len == 0) { |
|
547 |
return 0; |
|
548 |
} |
|
2 | 549 |
|
56542 | 550 |
if (checkEOF()) { |
551 |
return -1; |
|
552 |
} |
|
553 |
||
554 |
// start handshaking if the connection has not been negotiated. |
|
555 |
if (!conContext.isNegotiated && !conContext.isClosed()) { |
|
556 |
ensureNegotiated(); |
|
557 |
} |
|
2 | 558 |
|
56542 | 559 |
// Read the available bytes at first. |
560 |
int remains = available(); |
|
561 |
if (remains > 0) { |
|
562 |
int howmany = Math.min(remains, len); |
|
563 |
buffer.get(b, off, howmany); |
|
564 |
||
565 |
return howmany; |
|
566 |
} |
|
567 |
||
568 |
appDataIsAvailable = false; |
|
569 |
int volume = 0; |
|
570 |
try { |
|
571 |
while (volume == 0) { |
|
572 |
// Clear the buffer for a new record reading. |
|
573 |
buffer.clear(); |
|
2 | 574 |
|
56542 | 575 |
// grow the buffer if needed |
576 |
int inLen = conContext.inputRecord.bytesInCompletePacket(); |
|
577 |
if (inLen < 0) { // EOF |
|
578 |
// treat like receiving a close_notify warning message. |
|
579 |
conContext.isInputCloseNotified = true; |
|
580 |
conContext.closeInbound(); |
|
581 |
return -1; |
|
582 |
} |
|
583 |
||
584 |
// Is this packet bigger than SSL/TLS normally allows? |
|
585 |
if (inLen > SSLRecord.maxLargeRecordSize) { |
|
586 |
throw new SSLProtocolException( |
|
587 |
"Illegal packet size: " + inLen); |
|
588 |
} |
|
589 |
||
590 |
if (inLen > buffer.remaining()) { |
|
591 |
buffer = ByteBuffer.allocate(inLen); |
|
30904 | 592 |
} |
2 | 593 |
|
56542 | 594 |
volume = readRecord(buffer); |
595 |
buffer.flip(); |
|
596 |
if (volume < 0) { // EOF |
|
597 |
// treat like receiving a close_notify warning message. |
|
598 |
conContext.isInputCloseNotified = true; |
|
599 |
conContext.closeInbound(); |
|
600 |
return -1; |
|
601 |
} else if (volume > 0) { |
|
602 |
appDataIsAvailable = true; |
|
603 |
break; |
|
604 |
} |
|
605 |
} |
|
606 |
||
607 |
// file the destination buffer |
|
608 |
int howmany = Math.min(len, volume); |
|
609 |
buffer.get(b, off, howmany); |
|
610 |
return howmany; |
|
611 |
} catch (Exception e) { // including RuntimeException |
|
612 |
// shutdown and rethrow (wrapped) exception as appropriate |
|
613 |
handleException(e); |
|
614 |
||
615 |
// dummy for compiler |
|
616 |
return -1; |
|
617 |
} |
|
618 |
} |
|
619 |
||
620 |
/** |
|
621 |
* Skip n bytes. |
|
622 |
* |
|
623 |
* This implementation is somewhat less efficient than possible, but |
|
624 |
* not badly so (redundant copy). We reuse the read() code to keep |
|
625 |
* things simpler. Note that SKIP_ARRAY is static and may garbled by |
|
626 |
* concurrent use, but we are not interested in the data anyway. |
|
627 |
*/ |
|
628 |
@Override |
|
629 |
public synchronized long skip(long n) throws IOException { |
|
630 |
// dummy array used to implement skip() |
|
631 |
byte[] skipArray = new byte[256]; |
|
632 |
||
633 |
long skipped = 0; |
|
634 |
while (n > 0) { |
|
635 |
int len = (int)Math.min(n, skipArray.length); |
|
636 |
int r = read(skipArray, 0, len); |
|
637 |
if (r <= 0) { |
|
638 |
break; |
|
639 |
} |
|
640 |
n -= r; |
|
641 |
skipped += r; |
|
642 |
} |
|
643 |
||
644 |
return skipped; |
|
645 |
} |
|
646 |
||
647 |
@Override |
|
648 |
public void close() throws IOException { |
|
649 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
650 |
SSLLogger.finest("Closing input stream"); |
|
2 | 651 |
} |
56542 | 652 |
|
653 |
conContext.closeInbound(); |
|
654 |
} |
|
655 |
} |
|
656 |
||
657 |
@Override |
|
658 |
public synchronized OutputStream getOutputStream() throws IOException { |
|
659 |
if (isClosed() || conContext.isOutboundDone()) { |
|
660 |
throw new SocketException("Socket or outbound is closed"); |
|
661 |
} |
|
662 |
||
663 |
if (!isConnected) { |
|
664 |
throw new SocketException("Socket is not connected"); |
|
665 |
} |
|
666 |
||
667 |
return appOutput; |
|
668 |
} |
|
669 |
||
670 |
private class AppOutputStream extends OutputStream { |
|
671 |
// One element array used to implement the write(byte) method |
|
672 |
private final byte[] oneByte = new byte[1]; |
|
673 |
||
674 |
@Override |
|
675 |
public void write(int i) throws IOException { |
|
676 |
oneByte[0] = (byte)i; |
|
677 |
write(oneByte, 0, 1); |
|
678 |
} |
|
679 |
||
680 |
@Override |
|
681 |
public synchronized void write(byte[] b, |
|
682 |
int off, int len) throws IOException { |
|
683 |
if (b == null) { |
|
684 |
throw new NullPointerException("the source buffer is null"); |
|
685 |
} else if (off < 0 || len < 0 || len > b.length - off) { |
|
686 |
throw new IndexOutOfBoundsException( |
|
687 |
"buffer length: " + b.length + ", offset; " + off + |
|
688 |
", bytes to read:" + len); |
|
689 |
} else if (len == 0) { |
|
690 |
return; |
|
691 |
} |
|
692 |
||
693 |
// start handshaking if the connection has not been negotiated. |
|
694 |
if (!conContext.isNegotiated && !conContext.isClosed()) { |
|
695 |
ensureNegotiated(); |
|
696 |
} |
|
697 |
||
698 |
// check if the Socket is invalid (error or closed) |
|
699 |
checkWrite(); |
|
700 |
||
701 |
// Delegate the writing to the underlying socket. |
|
702 |
try { |
|
703 |
writeRecord(b, off, len); |
|
704 |
checkWrite(); |
|
705 |
} catch (IOException ioe) { |
|
706 |
// shutdown and rethrow (wrapped) exception as appropriate |
|
707 |
handleException(ioe); |
|
708 |
} |
|
709 |
} |
|
710 |
||
711 |
@Override |
|
712 |
public void close() throws IOException { |
|
713 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
714 |
SSLLogger.finest("Closing output stream"); |
|
715 |
} |
|
716 |
||
717 |
conContext.closeOutbound(); |
|
718 |
} |
|
719 |
} |
|
720 |
||
721 |
@Override |
|
722 |
public synchronized SSLParameters getSSLParameters() { |
|
723 |
return conContext.sslConfig.getSSLParameters(); |
|
724 |
} |
|
725 |
||
726 |
@Override |
|
727 |
public synchronized void setSSLParameters(SSLParameters params) { |
|
728 |
conContext.sslConfig.setSSLParameters(params); |
|
729 |
||
730 |
if (conContext.sslConfig.maximumPacketSize != 0) { |
|
731 |
conContext.outputRecord.changePacketSize( |
|
732 |
conContext.sslConfig.maximumPacketSize); |
|
733 |
} |
|
734 |
} |
|
735 |
||
736 |
@Override |
|
737 |
public synchronized String getApplicationProtocol() { |
|
738 |
return conContext.applicationProtocol; |
|
739 |
} |
|
740 |
||
741 |
@Override |
|
742 |
public synchronized String getHandshakeApplicationProtocol() { |
|
743 |
if (conContext.handshakeContext != null) { |
|
744 |
return conContext.handshakeContext.applicationProtocol; |
|
745 |
} |
|
746 |
||
747 |
return null; |
|
748 |
} |
|
749 |
||
750 |
@Override |
|
751 |
public synchronized void setHandshakeApplicationProtocolSelector( |
|
752 |
BiFunction<SSLSocket, List<String>, String> selector) { |
|
753 |
conContext.sslConfig.socketAPSelector = selector; |
|
754 |
} |
|
755 |
||
756 |
@Override |
|
757 |
public synchronized BiFunction<SSLSocket, List<String>, String> |
|
758 |
getHandshakeApplicationProtocolSelector() { |
|
759 |
return conContext.sslConfig.socketAPSelector; |
|
760 |
} |
|
761 |
||
762 |
private synchronized void writeRecord(byte[] source, |
|
763 |
int offset, int length) throws IOException { |
|
764 |
if (conContext.isOutboundDone()) { |
|
765 |
throw new SocketException("Socket or outbound closed"); |
|
2 | 766 |
} |
767 |
||
768 |
// |
|
769 |
// Don't bother to really write empty records. We went this |
|
770 |
// far to drive the handshake machinery, for correctness; not |
|
771 |
// writing empty records improves performance by cutting CPU |
|
772 |
// time and network resource usage. However, some protocol |
|
773 |
// implementations are fragile and don't like to see empty |
|
774 |
// records, so this also increases robustness. |
|
775 |
// |
|
30904 | 776 |
if (length > 0) { |
777 |
try { |
|
56542 | 778 |
conContext.outputRecord.deliver(source, offset, length); |
30904 | 779 |
} catch (SSLHandshakeException she) { |
780 |
// may be record sequence number overflow |
|
56542 | 781 |
conContext.fatal(Alert.HANDSHAKE_FAILURE, she); |
30904 | 782 |
} catch (IOException e) { |
56542 | 783 |
conContext.fatal(Alert.UNEXPECTED_MESSAGE, e); |
34528
279258fb670b
8141651: Deadlock in sun.security.ssl.SSLSocketImpl
xuelei
parents:
34380
diff
changeset
|
784 |
} |
2 | 785 |
} |
7039 | 786 |
|
56542 | 787 |
// Is the sequence number is nearly overflow? |
788 |
if (conContext.outputRecord.seqNumIsHuge()) { |
|
789 |
tryKeyUpdate(); |
|
10915 | 790 |
} |
791 |
} |
|
2 | 792 |
|
56542 | 793 |
private synchronized int readRecord() throws IOException { |
794 |
while (!conContext.isInboundDone()) { |
|
795 |
try { |
|
796 |
Plaintext plainText = decode(null); |
|
797 |
if ((plainText.contentType == ContentType.HANDSHAKE.id) && |
|
798 |
conContext.isNegotiated) { |
|
799 |
return 0; |
|
800 |
} |
|
801 |
} catch (SSLException ssle) { |
|
802 |
throw ssle; |
|
803 |
} catch (IOException ioe) { |
|
804 |
throw new SSLException("readRecord", ioe); |
|
805 |
} |
|
2 | 806 |
} |
30904 | 807 |
|
56542 | 808 |
return -1; |
30904 | 809 |
} |
810 |
||
56542 | 811 |
private synchronized int readRecord(ByteBuffer buffer) throws IOException { |
812 |
while (!conContext.isInboundDone()) { |
|
813 |
/* |
|
814 |
* clean the buffer and check if it is too small, e.g. because |
|
815 |
* the AppInputStream did not have the chance to see the |
|
816 |
* current packet length but rather something like that of the |
|
817 |
* handshake before. In that case we return 0 at this point to |
|
818 |
* give the caller the chance to adjust the buffer. |
|
819 |
*/ |
|
820 |
buffer.clear(); |
|
821 |
int inLen = conContext.inputRecord.bytesInCompletePacket(); |
|
822 |
if (inLen < 0) { // EOF |
|
823 |
return -1; |
|
824 |
} |
|
30904 | 825 |
|
56542 | 826 |
if (buffer.remaining() < inLen) { |
827 |
return 0; |
|
828 |
} |
|
7039 | 829 |
|
56542 | 830 |
try { |
831 |
Plaintext plainText = decode(buffer); |
|
832 |
if (plainText.contentType == ContentType.APPLICATION_DATA.id) { |
|
833 |
return buffer.position(); |
|
30904 | 834 |
} |
56542 | 835 |
} catch (SSLException ssle) { |
836 |
throw ssle; |
|
837 |
} catch (IOException ioe) { |
|
838 |
throw new SSLException("readRecord", ioe); |
|
839 |
} |
|
7039 | 840 |
} |
841 |
||
56542 | 842 |
// |
843 |
// couldn't read, due to some kind of error |
|
844 |
// |
|
845 |
return -1; |
|
846 |
} |
|
7039 | 847 |
|
56542 | 848 |
private Plaintext decode(ByteBuffer destination) throws IOException { |
849 |
Plaintext plainText; |
|
850 |
if (destination == null) { |
|
851 |
plainText = SSLTransport.decode(conContext, |
|
852 |
null, 0, 0, null, 0, 0); |
|
853 |
} else { |
|
854 |
plainText = SSLTransport.decode(conContext, |
|
855 |
null, 0, 0, new ByteBuffer[]{destination}, 0, 1); |
|
7039 | 856 |
} |
30904 | 857 |
|
56542 | 858 |
// Is the sequence number is nearly overflow? |
859 |
if (plainText != Plaintext.PLAINTEXT_NULL && |
|
860 |
conContext.inputRecord.seqNumIsHuge()) { |
|
861 |
tryKeyUpdate(); |
|
862 |
} |
|
30904 | 863 |
|
56542 | 864 |
return plainText; |
2 | 865 |
} |
866 |
||
867 |
/** |
|
56542 | 868 |
* Try renegotiation or key update for sequence number wrap. |
869 |
* |
|
870 |
* Note that in order to maintain the handshake status properly, we check |
|
871 |
* the sequence number after the last record reading/writing process. As |
|
872 |
* we request renegotiation or close the connection for wrapped sequence |
|
873 |
* number when there is enough sequence number space left to handle a few |
|
874 |
* more records, so the sequence number of the last record cannot be |
|
875 |
* wrapped. |
|
2 | 876 |
*/ |
56542 | 877 |
private void tryKeyUpdate() throws IOException { |
878 |
// Don't bother to kickstart the renegotiation or key update when the |
|
879 |
// local is asking for it. |
|
880 |
if ((conContext.handshakeContext == null) && |
|
881 |
!conContext.isClosed() && !conContext.isBroken) { |
|
882 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
883 |
SSLLogger.finest("key update to wrap sequence number"); |
|
884 |
} |
|
885 |
conContext.keyUpdate(); |
|
886 |
} |
|
2 | 887 |
} |
888 |
||
56542 | 889 |
private void closeSocket(boolean selfInitiated) throws IOException { |
890 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
891 |
SSLLogger.fine("close the ssl connection " + |
|
892 |
(selfInitiated ? "(initiative)" : "(passive)")); |
|
2 | 893 |
} |
894 |
||
56542 | 895 |
if (autoClose || !isLayered()) { |
896 |
super.close(); |
|
897 |
} else if (selfInitiated) { |
|
898 |
// wait for close_notify alert to clear input stream. |
|
899 |
waitForClose(); |
|
900 |
} |
|
901 |
} |
|
902 |
||
903 |
/** |
|
904 |
* Wait for close_notify alert for a graceful closure. |
|
905 |
* |
|
906 |
* [RFC 5246] If the application protocol using TLS provides that any |
|
907 |
* data may be carried over the underlying transport after the TLS |
|
908 |
* connection is closed, the TLS implementation must receive the responding |
|
909 |
* close_notify alert before indicating to the application layer that |
|
910 |
* the TLS connection has ended. If the application protocol will not |
|
911 |
* transfer any additional data, but will only close the underlying |
|
912 |
* transport connection, then the implementation MAY choose to close the |
|
913 |
* transport without waiting for the responding close_notify. |
|
914 |
*/ |
|
915 |
private void waitForClose() throws IOException { |
|
916 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
917 |
SSLLogger.fine("wait for close_notify or alert"); |
|
2 | 918 |
} |
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
32834
diff
changeset
|
919 |
|
56542 | 920 |
while (!conContext.isInboundDone()) { |
921 |
try { |
|
922 |
Plaintext plainText = decode(null); |
|
923 |
// discard and continue |
|
924 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
925 |
SSLLogger.finest( |
|
926 |
"discard plaintext while waiting for close", plainText); |
|
927 |
} |
|
928 |
} catch (Exception e) { // including RuntimeException |
|
929 |
handleException(e); |
|
2 | 930 |
} |
931 |
} |
|
932 |
} |
|
933 |
||
934 |
/** |
|
56542 | 935 |
* Initialize the handshaker and socket streams. |
2 | 936 |
* |
56542 | 937 |
* Called by connect, the layered constructor, and SSLServerSocket. |
2 | 938 |
*/ |
56542 | 939 |
synchronized void doneConnect() throws IOException { |
940 |
// In server mode, it is not necessary to set host and serverNames. |
|
941 |
// Otherwise, would require a reverse DNS lookup to get the hostname. |
|
942 |
if ((peerHost == null) || (peerHost.length() == 0)) { |
|
943 |
boolean useNameService = |
|
944 |
trustNameService && conContext.sslConfig.isClientMode; |
|
945 |
useImplicitHost(useNameService); |
|
946 |
} else { |
|
947 |
conContext.sslConfig.serverNames = |
|
948 |
Utilities.addToSNIServerNameList( |
|
949 |
conContext.sslConfig.serverNames, peerHost); |
|
2 | 950 |
} |
951 |
||
56542 | 952 |
InputStream sockInput = super.getInputStream(); |
953 |
conContext.inputRecord.setReceiverStream(sockInput); |
|
2 | 954 |
|
56542 | 955 |
OutputStream sockOutput = super.getOutputStream(); |
956 |
conContext.inputRecord.setDeliverStream(sockOutput); |
|
957 |
conContext.outputRecord.setDeliverStream(sockOutput); |
|
2 | 958 |
|
56542 | 959 |
this.isConnected = true; |
2 | 960 |
} |
961 |
||
56542 | 962 |
private void useImplicitHost(boolean useNameService) { |
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
963 |
// Note: If the local name service is not trustworthy, reverse |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
964 |
// host name resolution should not be performed for endpoint |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
965 |
// identification. Use the application original specified |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
966 |
// hostname or IP address instead. |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
967 |
|
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
968 |
// Get the original hostname via jdk.internal.misc.SharedSecrets |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
969 |
InetAddress inetAddress = getInetAddress(); |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
970 |
if (inetAddress == null) { // not connected |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
971 |
return; |
31687 | 972 |
} |
973 |
||
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
974 |
JavaNetInetAddressAccess jna = |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
975 |
SharedSecrets.getJavaNetInetAddressAccess(); |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
976 |
String originalHostname = jna.getOriginalHostName(inetAddress); |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
977 |
if ((originalHostname != null) && |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
978 |
(originalHostname.length() != 0)) { |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
979 |
|
56542 | 980 |
this.peerHost = originalHostname; |
981 |
if (conContext.sslConfig.serverNames.isEmpty() && |
|
982 |
!conContext.sslConfig.noSniExtension) { |
|
983 |
conContext.sslConfig.serverNames = |
|
984 |
Utilities.addToSNIServerNameList( |
|
985 |
conContext.sslConfig.serverNames, peerHost); |
|
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
986 |
} |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
987 |
|
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
988 |
return; |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
989 |
} |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
990 |
|
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
991 |
// No explicitly specified hostname, no server name indication. |
56542 | 992 |
if (!useNameService) { |
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
993 |
// The local name service is not trustworthy, use IP address. |
56542 | 994 |
this.peerHost = inetAddress.getHostAddress(); |
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
995 |
} else { |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
996 |
// Use the underlying reverse host name resolution service. |
56542 | 997 |
this.peerHost = getInetAddress().getHostName(); |
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
998 |
} |
31687 | 999 |
} |
1000 |
||
5162
0dbedf4fdb8c
6614957: HttpsURLConnection not using the set SSLSocketFactory for creating all its Sockets
chegar
parents:
2068
diff
changeset
|
1001 |
// ONLY used by HttpsClient to setup the URI specified hostname |
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
1002 |
// |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
1003 |
// Please NOTE that this method MUST be called before calling to |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
1004 |
// SSLSocket.setSSLParameters(). Otherwise, the {@code host} parameter |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
1005 |
// may override SNIHostName in the customized server name indication. |
32649
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
31918
diff
changeset
|
1006 |
public synchronized void setHost(String host) { |
56542 | 1007 |
this.peerHost = host; |
1008 |
this.conContext.sslConfig.serverNames = |
|
1009 |
Utilities.addToSNIServerNameList( |
|
1010 |
conContext.sslConfig.serverNames, host); |
|
2 | 1011 |
} |
1012 |
||
1013 |
/** |
|
56542 | 1014 |
* Return whether we have reached end-of-file. |
1015 |
* |
|
1016 |
* If the socket is not connected, has been shutdown because of an error |
|
1017 |
* or has been closed, throw an Exception. |
|
2 | 1018 |
*/ |
56542 | 1019 |
synchronized boolean checkEOF() throws IOException { |
1020 |
if (conContext.isClosed()) { |
|
1021 |
throw new SocketException("Socket is closed"); |
|
1022 |
} else if (conContext.isInputCloseNotified || conContext.isBroken) { |
|
1023 |
if (conContext.closeReason == null) { |
|
1024 |
return true; |
|
1025 |
} else { |
|
1026 |
throw new SSLException( |
|
1027 |
"Connection has been shutdown: " + conContext.closeReason, |
|
1028 |
conContext.closeReason); |
|
2 | 1029 |
} |
1030 |
} |
|
1031 |
||
56542 | 1032 |
return false; |
7043 | 1033 |
} |
1034 |
||
2 | 1035 |
/** |
56542 | 1036 |
* Check if we can write data to this socket. |
2 | 1037 |
*/ |
56542 | 1038 |
synchronized void checkWrite() throws IOException { |
1039 |
if (checkEOF() || conContext.isOutboundDone()) { |
|
1040 |
// we are at EOF, write must throw Exception |
|
1041 |
throw new SocketException("Connection closed"); |
|
1042 |
} |
|
1043 |
if (!isConnected) { |
|
1044 |
throw new SocketException("Socket is not connected"); |
|
2 | 1045 |
} |
1046 |
} |
|
1047 |
||
1048 |
/** |
|
56542 | 1049 |
* Handle an exception. |
2 | 1050 |
* |
56542 | 1051 |
* This method is called by top level exception handlers (in read(), |
1052 |
* write()) to make sure we always shutdown the connection correctly |
|
1053 |
* and do not pass runtime exception to the application. |
|
2 | 1054 |
* |
56542 | 1055 |
* This method never returns normally, it always throws an IOException. |
2 | 1056 |
*/ |
56542 | 1057 |
private void handleException(Exception cause) throws IOException { |
1058 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
1059 |
SSLLogger.warning("handling exception", cause); |
|
2 | 1060 |
} |
1061 |
||
56542 | 1062 |
// Don't close the Socket in case of timeouts or interrupts. |
1063 |
if (cause instanceof InterruptedIOException) { |
|
1064 |
throw (IOException)cause; |
|
1065 |
} |
|
2 | 1066 |
|
56542 | 1067 |
// need to perform error shutdown |
1068 |
boolean isSSLException = (cause instanceof SSLException); |
|
1069 |
Alert alert; |
|
1070 |
if (isSSLException) { |
|
1071 |
if (cause instanceof SSLHandshakeException) { |
|
1072 |
alert = Alert.HANDSHAKE_FAILURE; |
|
1073 |
} else { |
|
1074 |
alert = Alert.UNEXPECTED_MESSAGE; |
|
2 | 1075 |
} |
56542 | 1076 |
} else { |
1077 |
if (cause instanceof IOException) { |
|
1078 |
alert = Alert.UNEXPECTED_MESSAGE; |
|
1079 |
} else { |
|
1080 |
// RuntimeException |
|
1081 |
alert = Alert.INTERNAL_ERROR; |
|
2 | 1082 |
} |
1083 |
} |
|
56542 | 1084 |
conContext.fatal(alert, cause); |
2 | 1085 |
} |
1086 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1087 |
@Override |
56542 | 1088 |
public String getPeerHost() { |
1089 |
return peerHost; |
|
2 | 1090 |
} |
1091 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1092 |
@Override |
56542 | 1093 |
public int getPeerPort() { |
1094 |
return getPort(); |
|
2 | 1095 |
} |
1096 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1097 |
@Override |
56542 | 1098 |
public boolean useDelegatedTask() { |
1099 |
return false; |
|
2 | 1100 |
} |
1101 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1102 |
@Override |
56542 | 1103 |
public void shutdown() throws IOException { |
1104 |
if (!isClosed()) { |
|
1105 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
1106 |
SSLLogger.fine("close the underlying socket"); |
|
1107 |
} |
|
2 | 1108 |
|
56542 | 1109 |
try { |
1110 |
if (conContext.isInputCloseNotified) { |
|
1111 |
// Close the connection, no wait for more peer response. |
|
1112 |
closeSocket(false); |
|
1113 |
} else { |
|
1114 |
// Close the connection, may wait for peer close_notify. |
|
1115 |
closeSocket(true); |
|
1116 |
} |
|
1117 |
} finally { |
|
1118 |
tlsIsClosed = true; |
|
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
1119 |
} |
7043 | 1120 |
} |
2 | 1121 |
} |
1122 |
} |