author | xuelei |
Fri, 08 Jun 2018 19:43:11 -0700 | |
branch | JDK-8145252-TLS13-branch |
changeset 56712 | bad9f4c7eeec |
parent 56611 | f8f7e604e1f8 |
child 56718 | da9979451b7a |
permissions | -rw-r--r-- |
2 | 1 |
/* |
56542 | 2 |
* Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.security.ssl; |
|
27 |
||
56712 | 28 |
import java.io.EOFException; |
56542 | 29 |
import java.io.IOException; |
30 |
import java.io.InputStream; |
|
31 |
import java.io.InterruptedIOException; |
|
32 |
import java.io.OutputStream; |
|
33 |
import java.net.InetAddress; |
|
34 |
import java.net.InetSocketAddress; |
|
35 |
import java.net.Socket; |
|
36 |
import java.net.SocketAddress; |
|
37 |
import java.net.SocketException; |
|
38 |
import java.net.UnknownHostException; |
|
39 |
import java.nio.ByteBuffer; |
|
40 |
import java.util.List; |
|
42706
796cf076d69b
8170282: Enable ALPN parameters to be supplied during the TLS handshake
vinnie
parents:
38865
diff
changeset
|
41 |
import java.util.function.BiFunction; |
56542 | 42 |
import javax.net.ssl.HandshakeCompletedListener; |
43 |
import javax.net.ssl.SSLException; |
|
44 |
import javax.net.ssl.SSLHandshakeException; |
|
45 |
import javax.net.ssl.SSLParameters; |
|
46 |
import javax.net.ssl.SSLProtocolException; |
|
47 |
import javax.net.ssl.SSLServerSocket; |
|
48 |
import javax.net.ssl.SSLSession; |
|
49 |
import javax.net.ssl.SSLSocket; |
|
32834
e1dca5fe4de3
8137056: Move SharedSecrets and interface friends out of sun.misc
chegar
parents:
32649
diff
changeset
|
50 |
import jdk.internal.misc.JavaNetInetAddressAccess; |
e1dca5fe4de3
8137056: Move SharedSecrets and interface friends out of sun.misc
chegar
parents:
32649
diff
changeset
|
51 |
import jdk.internal.misc.SharedSecrets; |
31687 | 52 |
|
2 | 53 |
/** |
56542 | 54 |
* Implementation of an SSL socket. |
55 |
* <P> |
|
56 |
* This is a normal connection type socket, implementing SSL over some lower |
|
57 |
* level socket, such as TCP. Because it is layered over some lower level |
|
58 |
* socket, it MUST override all default socket methods. |
|
59 |
* <P> |
|
60 |
* This API offers a non-traditional option for establishing SSL |
|
2 | 61 |
* connections. You may first establish the connection directly, then pass |
62 |
* that connection to the SSL socket constructor with a flag saying which |
|
63 |
* role should be taken in the handshake protocol. (The two ends of the |
|
64 |
* connection must not choose the same role!) This allows setup of SSL |
|
65 |
* proxying or tunneling, and also allows the kind of "role reversal" |
|
66 |
* that is required for most FTP data transfers. |
|
67 |
* |
|
68 |
* @see javax.net.ssl.SSLSocket |
|
69 |
* @see SSLServerSocket |
|
70 |
* |
|
71 |
* @author David Brownell |
|
72 |
*/ |
|
56542 | 73 |
public final class SSLSocketImpl |
74 |
extends BaseSSLSocketImpl implements SSLTransport { |
|
2 | 75 |
|
56542 | 76 |
final SSLContextImpl sslContext; |
77 |
final TransportContext conContext; |
|
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
32834
diff
changeset
|
78 |
|
56542 | 79 |
private final AppInputStream appInput = new AppInputStream(); |
80 |
private final AppOutputStream appOutput = new AppOutputStream(); |
|
2 | 81 |
|
56542 | 82 |
private String peerHost; |
83 |
private boolean autoClose; |
|
84 |
private boolean isConnected = false; |
|
85 |
private boolean tlsIsClosed = false; |
|
30904 | 86 |
|
31687 | 87 |
/* |
88 |
* Is the local name service trustworthy? |
|
89 |
* |
|
90 |
* If the local name service is not trustworthy, reverse host name |
|
91 |
* resolution should not be performed for endpoint identification. |
|
92 |
*/ |
|
93 |
static final boolean trustNameService = |
|
56542 | 94 |
Utilities.getBooleanProperty("jdk.tls.trustNameService", false); |
31687 | 95 |
|
56542 | 96 |
/** |
97 |
* Package-private constructor used to instantiate an unconnected |
|
98 |
* socket. |
|
99 |
* |
|
100 |
* This instance is meant to set handshake state to use "client mode". |
|
101 |
*/ |
|
102 |
SSLSocketImpl(SSLContextImpl sslContext) { |
|
103 |
super(); |
|
104 |
this.sslContext = sslContext; |
|
105 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
106 |
this.conContext = new TransportContext(sslContext, this, |
|
107 |
new SSLSocketInputRecord(handshakeHash), |
|
108 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
109 |
} |
|
2 | 110 |
|
111 |
/** |
|
56542 | 112 |
* Package-private constructor used to instantiate a server socket. |
2 | 113 |
* |
56542 | 114 |
* This instance is meant to set handshake state to use "server mode". |
2 | 115 |
*/ |
56542 | 116 |
SSLSocketImpl(SSLContextImpl sslContext, SSLConfiguration sslConfig) { |
2 | 117 |
super(); |
56542 | 118 |
this.sslContext = sslContext; |
119 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
120 |
this.conContext = new TransportContext(sslContext, this, sslConfig, |
|
121 |
new SSLSocketInputRecord(handshakeHash), |
|
122 |
new SSLSocketOutputRecord(handshakeHash)); |
|
2 | 123 |
} |
124 |
||
125 |
/** |
|
56542 | 126 |
* Constructs an SSL connection to a named host at a specified |
127 |
* port, using the authentication context provided. |
|
2 | 128 |
* |
56542 | 129 |
* This endpoint acts as the client, and may rejoin an existing SSL session |
130 |
* if appropriate. |
|
2 | 131 |
*/ |
56542 | 132 |
SSLSocketImpl(SSLContextImpl sslContext, String peerHost, |
133 |
int peerPort) throws IOException, UnknownHostException { |
|
2 | 134 |
super(); |
56542 | 135 |
this.sslContext = sslContext; |
136 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
137 |
this.conContext = new TransportContext(sslContext, this, |
|
138 |
new SSLSocketInputRecord(handshakeHash), |
|
139 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
140 |
this.peerHost = peerHost; |
|
141 |
SocketAddress socketAddress = |
|
142 |
peerHost != null ? new InetSocketAddress(peerHost, peerPort) : |
|
143 |
new InetSocketAddress(InetAddress.getByName(null), peerPort); |
|
2 | 144 |
connect(socketAddress, 0); |
145 |
} |
|
146 |
||
147 |
/** |
|
56542 | 148 |
* Constructs an SSL connection to a server at a specified |
149 |
* address, and TCP port, using the authentication context |
|
150 |
* provided. |
|
2 | 151 |
* |
56542 | 152 |
* This endpoint acts as the client, and may rejoin an existing SSL |
153 |
* session if appropriate. |
|
2 | 154 |
*/ |
56542 | 155 |
SSLSocketImpl(SSLContextImpl sslContext, |
156 |
InetAddress address, int peerPort) throws IOException { |
|
2 | 157 |
super(); |
56542 | 158 |
this.sslContext = sslContext; |
159 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
160 |
this.conContext = new TransportContext(sslContext, this, |
|
161 |
new SSLSocketInputRecord(handshakeHash), |
|
162 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
2 | 163 |
|
56542 | 164 |
SocketAddress socketAddress = new InetSocketAddress(address, peerPort); |
2 | 165 |
connect(socketAddress, 0); |
166 |
} |
|
167 |
||
56542 | 168 |
/** |
169 |
* Constructs an SSL connection to a named host at a specified |
|
170 |
* port, using the authentication context provided. |
|
171 |
* |
|
172 |
* This endpoint acts as the client, and may rejoin an existing SSL |
|
173 |
* session if appropriate. |
|
2 | 174 |
*/ |
56542 | 175 |
SSLSocketImpl(SSLContextImpl sslContext, |
176 |
String peerHost, int peerPort, InetAddress localAddr, |
|
177 |
int localPort) throws IOException, UnknownHostException { |
|
2 | 178 |
super(); |
56542 | 179 |
this.sslContext = sslContext; |
180 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
181 |
this.conContext = new TransportContext(sslContext, this, |
|
182 |
new SSLSocketInputRecord(handshakeHash), |
|
183 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
184 |
this.peerHost = peerHost; |
|
2 | 185 |
|
56542 | 186 |
bind(new InetSocketAddress(localAddr, localPort)); |
187 |
SocketAddress socketAddress = |
|
188 |
peerHost != null ? new InetSocketAddress(peerHost, peerPort) : |
|
189 |
new InetSocketAddress(InetAddress.getByName(null), peerPort); |
|
190 |
connect(socketAddress, 0); |
|
2 | 191 |
} |
192 |
||
193 |
/** |
|
56542 | 194 |
* Constructs an SSL connection to a server at a specified |
195 |
* address, and TCP port, using the authentication context |
|
196 |
* provided. |
|
2 | 197 |
* |
56542 | 198 |
* This endpoint acts as the client, and may rejoin an existing SSL |
199 |
* session if appropriate. |
|
2 | 200 |
*/ |
56542 | 201 |
SSLSocketImpl(SSLContextImpl sslContext, |
202 |
InetAddress peerAddr, int peerPort, |
|
203 |
InetAddress localAddr, int localPort) throws IOException { |
|
204 |
super(); |
|
205 |
this.sslContext = sslContext; |
|
206 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
207 |
this.conContext = new TransportContext(sslContext, this, |
|
208 |
new SSLSocketInputRecord(handshakeHash), |
|
209 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
210 |
||
211 |
bind(new InetSocketAddress(localAddr, localPort)); |
|
212 |
SocketAddress socketAddress = new InetSocketAddress(peerAddr, peerPort); |
|
213 |
connect(socketAddress, 0); |
|
2 | 214 |
} |
215 |
||
216 |
/** |
|
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
217 |
* Creates a server mode {@link Socket} layered over an |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
218 |
* existing connected socket, and is able to read data which has |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
219 |
* already been consumed/removed from the {@link Socket}'s |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
220 |
* underlying {@link InputStream}. |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
221 |
*/ |
56542 | 222 |
SSLSocketImpl(SSLContextImpl sslContext, Socket sock, |
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
223 |
InputStream consumed, boolean autoClose) throws IOException { |
56542 | 224 |
|
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
225 |
super(sock, consumed); |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
226 |
// We always layer over a connected socket |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
227 |
if (!sock.isConnected()) { |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
228 |
throw new SocketException("Underlying socket is not connected"); |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
229 |
} |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
230 |
|
56542 | 231 |
this.sslContext = sslContext; |
232 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
233 |
this.conContext = new TransportContext(sslContext, this, |
|
234 |
new SSLSocketInputRecord(handshakeHash), |
|
235 |
new SSLSocketOutputRecord(handshakeHash), false); |
|
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
236 |
this.autoClose = autoClose; |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
237 |
doneConnect(); |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
238 |
} |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
239 |
|
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
240 |
/** |
56542 | 241 |
* Layer SSL traffic over an existing connection, rather than |
242 |
* creating a new connection. |
|
243 |
* |
|
244 |
* The existing connection may be used only for SSL traffic (using this |
|
245 |
* SSLSocket) until the SSLSocket.close() call returns. However, if a |
|
246 |
* protocol error is detected, that existing connection is automatically |
|
247 |
* closed. |
|
248 |
* <p> |
|
249 |
* This particular constructor always uses the socket in the |
|
250 |
* role of an SSL client. It may be useful in cases which start |
|
251 |
* using SSL after some initial data transfers, for example in some |
|
252 |
* SSL tunneling applications or as part of some kinds of application |
|
253 |
* protocols which negotiate use of a SSL based security. |
|
2 | 254 |
*/ |
56542 | 255 |
SSLSocketImpl(SSLContextImpl sslContext, Socket sock, |
256 |
String peerHost, int port, boolean autoClose) throws IOException { |
|
257 |
super(sock); |
|
258 |
// We always layer over a connected socket |
|
259 |
if (!sock.isConnected()) { |
|
260 |
throw new SocketException("Underlying socket is not connected"); |
|
261 |
} |
|
2 | 262 |
|
56542 | 263 |
this.sslContext = sslContext; |
264 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
265 |
this.conContext = new TransportContext(sslContext, this, |
|
266 |
new SSLSocketInputRecord(handshakeHash), |
|
267 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
268 |
this.peerHost = peerHost; |
|
269 |
this.autoClose = autoClose; |
|
270 |
doneConnect(); |
|
2 | 271 |
} |
272 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
273 |
@Override |
56542 | 274 |
public void connect(SocketAddress endpoint, |
275 |
int timeout) throws IOException { |
|
2 | 276 |
|
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
277 |
if (isLayered()) { |
2 | 278 |
throw new SocketException("Already connected"); |
279 |
} |
|
280 |
||
281 |
if (!(endpoint instanceof InetSocketAddress)) { |
|
282 |
throw new SocketException( |
|
56542 | 283 |
"Cannot handle non-Inet socket addresses."); |
2 | 284 |
} |
285 |
||
286 |
super.connect(endpoint, timeout); |
|
287 |
doneConnect(); |
|
288 |
} |
|
289 |
||
56542 | 290 |
@Override |
291 |
public String[] getSupportedCipherSuites() { |
|
292 |
return CipherSuite.namesOf(sslContext.getSupportedCipherSuites()); |
|
293 |
} |
|
294 |
||
295 |
@Override |
|
296 |
public synchronized String[] getEnabledCipherSuites() { |
|
297 |
return CipherSuite.namesOf(conContext.sslConfig.enabledCipherSuites); |
|
298 |
} |
|
299 |
||
300 |
@Override |
|
301 |
public synchronized void setEnabledCipherSuites(String[] suites) { |
|
302 |
if (suites == null) { |
|
303 |
throw new IllegalArgumentException("CipherSuites cannot be null"); |
|
304 |
} |
|
305 |
||
306 |
conContext.sslConfig.enabledCipherSuites = |
|
307 |
CipherSuite.validValuesOf(suites); |
|
308 |
} |
|
309 |
||
310 |
@Override |
|
311 |
public String[] getSupportedProtocols() { |
|
312 |
return ProtocolVersion.toStringArray( |
|
56611 | 313 |
sslContext.getSupportedProtocolVersions()); |
56542 | 314 |
} |
315 |
||
316 |
@Override |
|
317 |
public synchronized String[] getEnabledProtocols() { |
|
318 |
return ProtocolVersion.toStringArray( |
|
319 |
conContext.sslConfig.enabledProtocols); |
|
320 |
} |
|
321 |
||
322 |
@Override |
|
323 |
public synchronized void setEnabledProtocols(String[] protocols) { |
|
324 |
if (protocols == null) { |
|
325 |
throw new IllegalArgumentException("Protocols cannot be null"); |
|
326 |
} |
|
327 |
||
328 |
conContext.sslConfig.enabledProtocols = |
|
329 |
ProtocolVersion.namesOf(protocols); |
|
330 |
} |
|
2 | 331 |
|
56542 | 332 |
@Override |
333 |
public synchronized SSLSession getSession() { |
|
334 |
try { |
|
335 |
// start handshaking, if failed, the connection will be closed. |
|
336 |
ensureNegotiated(); |
|
337 |
} catch (IOException ioe) { |
|
338 |
if (SSLLogger.isOn && SSLLogger.isOn("handshake")) { |
|
339 |
SSLLogger.severe("handshake failed", ioe); |
|
340 |
} |
|
341 |
||
342 |
return SSLSessionImpl.nullSession; |
|
343 |
} |
|
344 |
||
345 |
return conContext.conSession; |
|
346 |
} |
|
347 |
||
348 |
@Override |
|
349 |
public synchronized SSLSession getHandshakeSession() { |
|
350 |
if (conContext.handshakeContext != null) { |
|
351 |
return conContext.handshakeContext.handshakeSession; |
|
352 |
} |
|
30904 | 353 |
|
56542 | 354 |
return null; |
355 |
} |
|
356 |
||
357 |
@Override |
|
358 |
public synchronized void addHandshakeCompletedListener( |
|
359 |
HandshakeCompletedListener listener) { |
|
360 |
if (listener == null) { |
|
361 |
throw new IllegalArgumentException("listener is null"); |
|
362 |
} |
|
363 |
||
364 |
conContext.sslConfig.addHandshakeCompletedListener(listener); |
|
365 |
} |
|
366 |
||
367 |
@Override |
|
368 |
public synchronized void removeHandshakeCompletedListener( |
|
369 |
HandshakeCompletedListener listener) { |
|
370 |
if (listener == null) { |
|
371 |
throw new IllegalArgumentException("listener is null"); |
|
372 |
} |
|
373 |
||
374 |
conContext.sslConfig.removeHandshakeCompletedListener(listener); |
|
2 | 375 |
} |
376 |
||
56542 | 377 |
@Override |
378 |
public synchronized void startHandshake() throws IOException { |
|
379 |
checkWrite(); |
|
380 |
try { |
|
381 |
conContext.kickstart(); |
|
382 |
||
383 |
// All initial handshaking goes through this operation until we |
|
384 |
// have a valid SSL connection. |
|
385 |
// |
|
386 |
// Handle handshake messages only, need no application data. |
|
387 |
if (!conContext.isNegotiated) { |
|
388 |
readRecord(); |
|
389 |
} |
|
390 |
} catch (IOException ioe) { |
|
391 |
conContext.fatal(Alert.HANDSHAKE_FAILURE, |
|
392 |
"Couldn't kickstart handshaking", ioe); |
|
393 |
} catch (Exception oe) { // including RuntimeException |
|
394 |
handleException(oe); |
|
395 |
} |
|
396 |
} |
|
397 |
||
398 |
@Override |
|
399 |
public synchronized void setUseClientMode(boolean mode) { |
|
400 |
conContext.setUseClientMode(mode); |
|
401 |
} |
|
402 |
||
403 |
@Override |
|
404 |
public synchronized boolean getUseClientMode() { |
|
405 |
return conContext.sslConfig.isClientMode; |
|
406 |
} |
|
407 |
||
408 |
@Override |
|
409 |
public synchronized void setNeedClientAuth(boolean need) { |
|
410 |
conContext.sslConfig.clientAuthType = |
|
411 |
(need ? ClientAuthType.CLIENT_AUTH_REQUIRED : |
|
412 |
ClientAuthType.CLIENT_AUTH_NONE); |
|
413 |
} |
|
414 |
||
415 |
@Override |
|
416 |
public synchronized boolean getNeedClientAuth() { |
|
417 |
return (conContext.sslConfig.clientAuthType == |
|
418 |
ClientAuthType.CLIENT_AUTH_REQUIRED); |
|
419 |
} |
|
420 |
||
421 |
@Override |
|
422 |
public synchronized void setWantClientAuth(boolean want) { |
|
423 |
conContext.sslConfig.clientAuthType = |
|
424 |
(want ? ClientAuthType.CLIENT_AUTH_REQUESTED : |
|
425 |
ClientAuthType.CLIENT_AUTH_NONE); |
|
2 | 426 |
} |
427 |
||
56542 | 428 |
@Override |
429 |
public synchronized boolean getWantClientAuth() { |
|
430 |
return (conContext.sslConfig.clientAuthType == |
|
431 |
ClientAuthType.CLIENT_AUTH_REQUESTED); |
|
432 |
} |
|
433 |
||
434 |
@Override |
|
435 |
public synchronized void setEnableSessionCreation(boolean flag) { |
|
436 |
conContext.sslConfig.enableSessionCreation = flag; |
|
437 |
} |
|
438 |
||
439 |
@Override |
|
440 |
public synchronized boolean getEnableSessionCreation() { |
|
441 |
return conContext.sslConfig.enableSessionCreation; |
|
442 |
} |
|
443 |
||
444 |
@Override |
|
445 |
public synchronized boolean isClosed() { |
|
446 |
return tlsIsClosed && conContext.isClosed(); |
|
2 | 447 |
} |
448 |
||
56542 | 449 |
@Override |
450 |
public synchronized void close() throws IOException { |
|
451 |
try { |
|
452 |
conContext.close(); |
|
453 |
} catch (IOException ioe) { |
|
454 |
// ignore the exception |
|
455 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
456 |
SSLLogger.warning("connection context closure failed", ioe); |
|
457 |
} |
|
458 |
} finally { |
|
459 |
tlsIsClosed = true; |
|
460 |
} |
|
461 |
} |
|
462 |
||
463 |
@Override |
|
464 |
public synchronized InputStream getInputStream() throws IOException { |
|
465 |
if (isClosed() || conContext.isInboundDone()) { |
|
466 |
throw new SocketException("Socket or inbound is closed"); |
|
467 |
} |
|
468 |
||
469 |
if (!isConnected) { |
|
470 |
throw new SocketException("Socket is not connected"); |
|
471 |
} |
|
472 |
||
473 |
return appInput; |
|
474 |
} |
|
475 |
||
476 |
private synchronized void ensureNegotiated() throws IOException { |
|
56594 | 477 |
if (conContext.isNegotiated || |
478 |
conContext.isClosed() || conContext.isBroken) { |
|
56542 | 479 |
return; |
480 |
} |
|
481 |
||
482 |
startHandshake(); |
|
2 | 483 |
} |
484 |
||
56542 | 485 |
private class AppInputStream extends InputStream { |
486 |
// One element array used to implement the single byte read() method |
|
487 |
private final byte[] oneByte = new byte[1]; |
|
488 |
||
489 |
// the temporary buffer used to read network |
|
490 |
private ByteBuffer buffer; |
|
491 |
||
492 |
// Is application data available in the stream? |
|
493 |
private boolean appDataIsAvailable; |
|
494 |
||
495 |
AppInputStream() { |
|
496 |
this.appDataIsAvailable = false; |
|
497 |
this.buffer = ByteBuffer.allocate(4096); |
|
498 |
} |
|
2 | 499 |
|
56542 | 500 |
/** |
501 |
* Return the minimum number of bytes that can be read |
|
502 |
* without blocking. |
|
2 | 503 |
*/ |
56542 | 504 |
@Override |
505 |
public int available() throws IOException { |
|
506 |
// Currently not synchronized. |
|
507 |
if ((!appDataIsAvailable) || checkEOF()) { |
|
508 |
return 0; |
|
509 |
} |
|
510 |
||
511 |
return buffer.remaining(); |
|
512 |
} |
|
513 |
||
514 |
/** |
|
515 |
* Read a single byte, returning -1 on non-fault EOF status. |
|
516 |
*/ |
|
517 |
@Override |
|
518 |
public synchronized int read() throws IOException { |
|
519 |
int n = read(oneByte, 0, 1); |
|
520 |
if (n <= 0) { // EOF |
|
521 |
return -1; |
|
522 |
} |
|
523 |
||
524 |
return oneByte[0] & 0xFF; |
|
525 |
} |
|
2 | 526 |
|
56542 | 527 |
/** |
528 |
* Reads up to {@code len} bytes of data from the input stream |
|
529 |
* into an array of bytes. |
|
530 |
* |
|
531 |
* An attempt is made to read as many as {@code len} bytes, but a |
|
532 |
* smaller number may be read. The number of bytes actually read |
|
533 |
* is returned as an integer. |
|
534 |
* |
|
535 |
* If the layer above needs more data, it asks for more, so we |
|
536 |
* are responsible only for blocking to fill at most one buffer, |
|
537 |
* and returning "-1" on non-fault EOF status. |
|
538 |
*/ |
|
539 |
@Override |
|
540 |
public synchronized int read(byte[] b, int off, int len) |
|
541 |
throws IOException { |
|
542 |
if (b == null) { |
|
543 |
throw new NullPointerException("the target buffer is null"); |
|
544 |
} else if (off < 0 || len < 0 || len > b.length - off) { |
|
545 |
throw new IndexOutOfBoundsException( |
|
546 |
"buffer length: " + b.length + ", offset; " + off + |
|
547 |
", bytes to read:" + len); |
|
548 |
} else if (len == 0) { |
|
549 |
return 0; |
|
550 |
} |
|
2 | 551 |
|
56542 | 552 |
if (checkEOF()) { |
553 |
return -1; |
|
554 |
} |
|
555 |
||
556 |
// start handshaking if the connection has not been negotiated. |
|
56594 | 557 |
if (!conContext.isNegotiated && |
558 |
!conContext.isClosed() && !conContext.isBroken) { |
|
56542 | 559 |
ensureNegotiated(); |
560 |
} |
|
2 | 561 |
|
56542 | 562 |
// Read the available bytes at first. |
563 |
int remains = available(); |
|
564 |
if (remains > 0) { |
|
565 |
int howmany = Math.min(remains, len); |
|
566 |
buffer.get(b, off, howmany); |
|
567 |
||
568 |
return howmany; |
|
569 |
} |
|
570 |
||
571 |
appDataIsAvailable = false; |
|
572 |
int volume = 0; |
|
573 |
try { |
|
574 |
while (volume == 0) { |
|
575 |
// Clear the buffer for a new record reading. |
|
576 |
buffer.clear(); |
|
2 | 577 |
|
56542 | 578 |
// grow the buffer if needed |
579 |
int inLen = conContext.inputRecord.bytesInCompletePacket(); |
|
580 |
if (inLen < 0) { // EOF |
|
56712 | 581 |
handleEOF(null); |
582 |
||
583 |
// if no exceptio thrown |
|
56542 | 584 |
return -1; |
585 |
} |
|
586 |
||
587 |
// Is this packet bigger than SSL/TLS normally allows? |
|
588 |
if (inLen > SSLRecord.maxLargeRecordSize) { |
|
589 |
throw new SSLProtocolException( |
|
590 |
"Illegal packet size: " + inLen); |
|
591 |
} |
|
592 |
||
593 |
if (inLen > buffer.remaining()) { |
|
594 |
buffer = ByteBuffer.allocate(inLen); |
|
30904 | 595 |
} |
2 | 596 |
|
56542 | 597 |
volume = readRecord(buffer); |
598 |
buffer.flip(); |
|
599 |
if (volume < 0) { // EOF |
|
600 |
// treat like receiving a close_notify warning message. |
|
601 |
conContext.isInputCloseNotified = true; |
|
602 |
conContext.closeInbound(); |
|
603 |
return -1; |
|
604 |
} else if (volume > 0) { |
|
605 |
appDataIsAvailable = true; |
|
606 |
break; |
|
607 |
} |
|
608 |
} |
|
609 |
||
610 |
// file the destination buffer |
|
611 |
int howmany = Math.min(len, volume); |
|
612 |
buffer.get(b, off, howmany); |
|
613 |
return howmany; |
|
614 |
} catch (Exception e) { // including RuntimeException |
|
615 |
// shutdown and rethrow (wrapped) exception as appropriate |
|
616 |
handleException(e); |
|
617 |
||
618 |
// dummy for compiler |
|
619 |
return -1; |
|
620 |
} |
|
621 |
} |
|
622 |
||
623 |
/** |
|
624 |
* Skip n bytes. |
|
625 |
* |
|
626 |
* This implementation is somewhat less efficient than possible, but |
|
627 |
* not badly so (redundant copy). We reuse the read() code to keep |
|
628 |
* things simpler. Note that SKIP_ARRAY is static and may garbled by |
|
629 |
* concurrent use, but we are not interested in the data anyway. |
|
630 |
*/ |
|
631 |
@Override |
|
632 |
public synchronized long skip(long n) throws IOException { |
|
633 |
// dummy array used to implement skip() |
|
634 |
byte[] skipArray = new byte[256]; |
|
635 |
||
636 |
long skipped = 0; |
|
637 |
while (n > 0) { |
|
638 |
int len = (int)Math.min(n, skipArray.length); |
|
639 |
int r = read(skipArray, 0, len); |
|
640 |
if (r <= 0) { |
|
641 |
break; |
|
642 |
} |
|
643 |
n -= r; |
|
644 |
skipped += r; |
|
645 |
} |
|
646 |
||
647 |
return skipped; |
|
648 |
} |
|
649 |
||
650 |
@Override |
|
651 |
public void close() throws IOException { |
|
652 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
653 |
SSLLogger.finest("Closing input stream"); |
|
2 | 654 |
} |
56542 | 655 |
|
656 |
conContext.closeInbound(); |
|
657 |
} |
|
658 |
} |
|
659 |
||
660 |
@Override |
|
661 |
public synchronized OutputStream getOutputStream() throws IOException { |
|
662 |
if (isClosed() || conContext.isOutboundDone()) { |
|
663 |
throw new SocketException("Socket or outbound is closed"); |
|
664 |
} |
|
665 |
||
666 |
if (!isConnected) { |
|
667 |
throw new SocketException("Socket is not connected"); |
|
668 |
} |
|
669 |
||
670 |
return appOutput; |
|
671 |
} |
|
672 |
||
673 |
private class AppOutputStream extends OutputStream { |
|
674 |
// One element array used to implement the write(byte) method |
|
675 |
private final byte[] oneByte = new byte[1]; |
|
676 |
||
677 |
@Override |
|
678 |
public void write(int i) throws IOException { |
|
679 |
oneByte[0] = (byte)i; |
|
680 |
write(oneByte, 0, 1); |
|
681 |
} |
|
682 |
||
683 |
@Override |
|
684 |
public synchronized void write(byte[] b, |
|
685 |
int off, int len) throws IOException { |
|
686 |
if (b == null) { |
|
687 |
throw new NullPointerException("the source buffer is null"); |
|
688 |
} else if (off < 0 || len < 0 || len > b.length - off) { |
|
689 |
throw new IndexOutOfBoundsException( |
|
690 |
"buffer length: " + b.length + ", offset; " + off + |
|
691 |
", bytes to read:" + len); |
|
692 |
} else if (len == 0) { |
|
693 |
return; |
|
694 |
} |
|
695 |
||
696 |
// start handshaking if the connection has not been negotiated. |
|
56594 | 697 |
if (!conContext.isNegotiated && |
698 |
!conContext.isClosed() && !conContext.isBroken) { |
|
56542 | 699 |
ensureNegotiated(); |
700 |
} |
|
701 |
||
702 |
// check if the Socket is invalid (error or closed) |
|
703 |
checkWrite(); |
|
704 |
||
705 |
// Delegate the writing to the underlying socket. |
|
706 |
try { |
|
707 |
writeRecord(b, off, len); |
|
708 |
checkWrite(); |
|
709 |
} catch (IOException ioe) { |
|
710 |
// shutdown and rethrow (wrapped) exception as appropriate |
|
711 |
handleException(ioe); |
|
712 |
} |
|
713 |
} |
|
714 |
||
715 |
@Override |
|
716 |
public void close() throws IOException { |
|
717 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
718 |
SSLLogger.finest("Closing output stream"); |
|
719 |
} |
|
720 |
||
721 |
conContext.closeOutbound(); |
|
722 |
} |
|
723 |
} |
|
724 |
||
725 |
@Override |
|
726 |
public synchronized SSLParameters getSSLParameters() { |
|
727 |
return conContext.sslConfig.getSSLParameters(); |
|
728 |
} |
|
729 |
||
730 |
@Override |
|
731 |
public synchronized void setSSLParameters(SSLParameters params) { |
|
732 |
conContext.sslConfig.setSSLParameters(params); |
|
733 |
||
734 |
if (conContext.sslConfig.maximumPacketSize != 0) { |
|
735 |
conContext.outputRecord.changePacketSize( |
|
736 |
conContext.sslConfig.maximumPacketSize); |
|
737 |
} |
|
738 |
} |
|
739 |
||
740 |
@Override |
|
741 |
public synchronized String getApplicationProtocol() { |
|
742 |
return conContext.applicationProtocol; |
|
743 |
} |
|
744 |
||
745 |
@Override |
|
746 |
public synchronized String getHandshakeApplicationProtocol() { |
|
747 |
if (conContext.handshakeContext != null) { |
|
748 |
return conContext.handshakeContext.applicationProtocol; |
|
749 |
} |
|
750 |
||
751 |
return null; |
|
752 |
} |
|
753 |
||
754 |
@Override |
|
755 |
public synchronized void setHandshakeApplicationProtocolSelector( |
|
756 |
BiFunction<SSLSocket, List<String>, String> selector) { |
|
757 |
conContext.sslConfig.socketAPSelector = selector; |
|
758 |
} |
|
759 |
||
760 |
@Override |
|
761 |
public synchronized BiFunction<SSLSocket, List<String>, String> |
|
762 |
getHandshakeApplicationProtocolSelector() { |
|
763 |
return conContext.sslConfig.socketAPSelector; |
|
764 |
} |
|
765 |
||
766 |
private synchronized void writeRecord(byte[] source, |
|
767 |
int offset, int length) throws IOException { |
|
768 |
if (conContext.isOutboundDone()) { |
|
769 |
throw new SocketException("Socket or outbound closed"); |
|
2 | 770 |
} |
771 |
||
772 |
// |
|
773 |
// Don't bother to really write empty records. We went this |
|
774 |
// far to drive the handshake machinery, for correctness; not |
|
775 |
// writing empty records improves performance by cutting CPU |
|
776 |
// time and network resource usage. However, some protocol |
|
777 |
// implementations are fragile and don't like to see empty |
|
778 |
// records, so this also increases robustness. |
|
779 |
// |
|
30904 | 780 |
if (length > 0) { |
781 |
try { |
|
56542 | 782 |
conContext.outputRecord.deliver(source, offset, length); |
30904 | 783 |
} catch (SSLHandshakeException she) { |
784 |
// may be record sequence number overflow |
|
56542 | 785 |
conContext.fatal(Alert.HANDSHAKE_FAILURE, she); |
30904 | 786 |
} catch (IOException e) { |
56542 | 787 |
conContext.fatal(Alert.UNEXPECTED_MESSAGE, e); |
34528
279258fb670b
8141651: Deadlock in sun.security.ssl.SSLSocketImpl
xuelei
parents:
34380
diff
changeset
|
788 |
} |
2 | 789 |
} |
7039 | 790 |
|
56542 | 791 |
// Is the sequence number is nearly overflow? |
792 |
if (conContext.outputRecord.seqNumIsHuge()) { |
|
793 |
tryKeyUpdate(); |
|
10915 | 794 |
} |
795 |
} |
|
2 | 796 |
|
56542 | 797 |
private synchronized int readRecord() throws IOException { |
798 |
while (!conContext.isInboundDone()) { |
|
799 |
try { |
|
800 |
Plaintext plainText = decode(null); |
|
801 |
if ((plainText.contentType == ContentType.HANDSHAKE.id) && |
|
802 |
conContext.isNegotiated) { |
|
803 |
return 0; |
|
804 |
} |
|
805 |
} catch (SSLException ssle) { |
|
806 |
throw ssle; |
|
807 |
} catch (IOException ioe) { |
|
56712 | 808 |
if (!(ioe instanceof SSLException)) { |
809 |
throw new SSLException("readRecord", ioe); |
|
810 |
} else { |
|
811 |
throw ioe; |
|
812 |
} |
|
56542 | 813 |
} |
2 | 814 |
} |
30904 | 815 |
|
56542 | 816 |
return -1; |
30904 | 817 |
} |
818 |
||
56542 | 819 |
private synchronized int readRecord(ByteBuffer buffer) throws IOException { |
820 |
while (!conContext.isInboundDone()) { |
|
821 |
/* |
|
822 |
* clean the buffer and check if it is too small, e.g. because |
|
823 |
* the AppInputStream did not have the chance to see the |
|
824 |
* current packet length but rather something like that of the |
|
825 |
* handshake before. In that case we return 0 at this point to |
|
826 |
* give the caller the chance to adjust the buffer. |
|
827 |
*/ |
|
828 |
buffer.clear(); |
|
829 |
int inLen = conContext.inputRecord.bytesInCompletePacket(); |
|
830 |
if (inLen < 0) { // EOF |
|
56712 | 831 |
handleEOF(null); |
832 |
||
833 |
// if no exceptio thrown |
|
56542 | 834 |
return -1; |
835 |
} |
|
30904 | 836 |
|
56542 | 837 |
if (buffer.remaining() < inLen) { |
838 |
return 0; |
|
839 |
} |
|
7039 | 840 |
|
56542 | 841 |
try { |
842 |
Plaintext plainText = decode(buffer); |
|
843 |
if (plainText.contentType == ContentType.APPLICATION_DATA.id) { |
|
844 |
return buffer.position(); |
|
30904 | 845 |
} |
56542 | 846 |
} catch (SSLException ssle) { |
847 |
throw ssle; |
|
848 |
} catch (IOException ioe) { |
|
56712 | 849 |
if (!(ioe instanceof SSLException)) { |
850 |
throw new SSLException("readRecord", ioe); |
|
851 |
} else { |
|
852 |
throw ioe; |
|
853 |
} |
|
56542 | 854 |
} |
7039 | 855 |
} |
856 |
||
56542 | 857 |
// |
858 |
// couldn't read, due to some kind of error |
|
859 |
// |
|
860 |
return -1; |
|
861 |
} |
|
7039 | 862 |
|
56542 | 863 |
private Plaintext decode(ByteBuffer destination) throws IOException { |
864 |
Plaintext plainText; |
|
56712 | 865 |
try { |
866 |
if (destination == null) { |
|
867 |
plainText = SSLTransport.decode(conContext, |
|
868 |
null, 0, 0, null, 0, 0); |
|
869 |
} else { |
|
870 |
plainText = SSLTransport.decode(conContext, |
|
871 |
null, 0, 0, new ByteBuffer[]{destination}, 0, 1); |
|
872 |
} |
|
873 |
} catch (EOFException eofe) { |
|
874 |
// EOFException is special as it is related to close_notify. |
|
875 |
plainText = handleEOF(eofe); |
|
7039 | 876 |
} |
30904 | 877 |
|
56542 | 878 |
// Is the sequence number is nearly overflow? |
879 |
if (plainText != Plaintext.PLAINTEXT_NULL && |
|
880 |
conContext.inputRecord.seqNumIsHuge()) { |
|
881 |
tryKeyUpdate(); |
|
882 |
} |
|
30904 | 883 |
|
56542 | 884 |
return plainText; |
2 | 885 |
} |
886 |
||
887 |
/** |
|
56542 | 888 |
* Try renegotiation or key update for sequence number wrap. |
889 |
* |
|
890 |
* Note that in order to maintain the handshake status properly, we check |
|
891 |
* the sequence number after the last record reading/writing process. As |
|
892 |
* we request renegotiation or close the connection for wrapped sequence |
|
893 |
* number when there is enough sequence number space left to handle a few |
|
894 |
* more records, so the sequence number of the last record cannot be |
|
895 |
* wrapped. |
|
2 | 896 |
*/ |
56542 | 897 |
private void tryKeyUpdate() throws IOException { |
898 |
// Don't bother to kickstart the renegotiation or key update when the |
|
899 |
// local is asking for it. |
|
900 |
if ((conContext.handshakeContext == null) && |
|
901 |
!conContext.isClosed() && !conContext.isBroken) { |
|
902 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
903 |
SSLLogger.finest("key update to wrap sequence number"); |
|
904 |
} |
|
905 |
conContext.keyUpdate(); |
|
906 |
} |
|
2 | 907 |
} |
908 |
||
56542 | 909 |
private void closeSocket(boolean selfInitiated) throws IOException { |
910 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
911 |
SSLLogger.fine("close the ssl connection " + |
|
912 |
(selfInitiated ? "(initiative)" : "(passive)")); |
|
2 | 913 |
} |
914 |
||
56542 | 915 |
if (autoClose || !isLayered()) { |
916 |
super.close(); |
|
917 |
} else if (selfInitiated) { |
|
918 |
// wait for close_notify alert to clear input stream. |
|
919 |
waitForClose(); |
|
920 |
} |
|
921 |
} |
|
922 |
||
923 |
/** |
|
924 |
* Wait for close_notify alert for a graceful closure. |
|
925 |
* |
|
926 |
* [RFC 5246] If the application protocol using TLS provides that any |
|
927 |
* data may be carried over the underlying transport after the TLS |
|
928 |
* connection is closed, the TLS implementation must receive the responding |
|
929 |
* close_notify alert before indicating to the application layer that |
|
930 |
* the TLS connection has ended. If the application protocol will not |
|
931 |
* transfer any additional data, but will only close the underlying |
|
932 |
* transport connection, then the implementation MAY choose to close the |
|
933 |
* transport without waiting for the responding close_notify. |
|
934 |
*/ |
|
935 |
private void waitForClose() throws IOException { |
|
936 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
937 |
SSLLogger.fine("wait for close_notify or alert"); |
|
2 | 938 |
} |
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
32834
diff
changeset
|
939 |
|
56542 | 940 |
while (!conContext.isInboundDone()) { |
941 |
try { |
|
942 |
Plaintext plainText = decode(null); |
|
943 |
// discard and continue |
|
944 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
945 |
SSLLogger.finest( |
|
946 |
"discard plaintext while waiting for close", plainText); |
|
947 |
} |
|
948 |
} catch (Exception e) { // including RuntimeException |
|
949 |
handleException(e); |
|
2 | 950 |
} |
951 |
} |
|
952 |
} |
|
953 |
||
954 |
/** |
|
56542 | 955 |
* Initialize the handshaker and socket streams. |
2 | 956 |
* |
56542 | 957 |
* Called by connect, the layered constructor, and SSLServerSocket. |
2 | 958 |
*/ |
56542 | 959 |
synchronized void doneConnect() throws IOException { |
960 |
// In server mode, it is not necessary to set host and serverNames. |
|
961 |
// Otherwise, would require a reverse DNS lookup to get the hostname. |
|
962 |
if ((peerHost == null) || (peerHost.length() == 0)) { |
|
963 |
boolean useNameService = |
|
964 |
trustNameService && conContext.sslConfig.isClientMode; |
|
965 |
useImplicitHost(useNameService); |
|
966 |
} else { |
|
967 |
conContext.sslConfig.serverNames = |
|
968 |
Utilities.addToSNIServerNameList( |
|
969 |
conContext.sslConfig.serverNames, peerHost); |
|
2 | 970 |
} |
971 |
||
56542 | 972 |
InputStream sockInput = super.getInputStream(); |
973 |
conContext.inputRecord.setReceiverStream(sockInput); |
|
2 | 974 |
|
56542 | 975 |
OutputStream sockOutput = super.getOutputStream(); |
976 |
conContext.inputRecord.setDeliverStream(sockOutput); |
|
977 |
conContext.outputRecord.setDeliverStream(sockOutput); |
|
2 | 978 |
|
56542 | 979 |
this.isConnected = true; |
2 | 980 |
} |
981 |
||
56542 | 982 |
private void useImplicitHost(boolean useNameService) { |
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
983 |
// Note: If the local name service is not trustworthy, reverse |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
984 |
// host name resolution should not be performed for endpoint |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
985 |
// identification. Use the application original specified |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
986 |
// hostname or IP address instead. |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
987 |
|
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
988 |
// Get the original hostname via jdk.internal.misc.SharedSecrets |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
989 |
InetAddress inetAddress = getInetAddress(); |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
990 |
if (inetAddress == null) { // not connected |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
991 |
return; |
31687 | 992 |
} |
993 |
||
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
994 |
JavaNetInetAddressAccess jna = |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
995 |
SharedSecrets.getJavaNetInetAddressAccess(); |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
996 |
String originalHostname = jna.getOriginalHostName(inetAddress); |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
997 |
if ((originalHostname != null) && |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
998 |
(originalHostname.length() != 0)) { |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
999 |
|
56542 | 1000 |
this.peerHost = originalHostname; |
1001 |
if (conContext.sslConfig.serverNames.isEmpty() && |
|
1002 |
!conContext.sslConfig.noSniExtension) { |
|
1003 |
conContext.sslConfig.serverNames = |
|
1004 |
Utilities.addToSNIServerNameList( |
|
1005 |
conContext.sslConfig.serverNames, peerHost); |
|
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1006 |
} |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1007 |
|
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1008 |
return; |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1009 |
} |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1010 |
|
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1011 |
// No explicitly specified hostname, no server name indication. |
56542 | 1012 |
if (!useNameService) { |
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1013 |
// The local name service is not trustworthy, use IP address. |
56542 | 1014 |
this.peerHost = inetAddress.getHostAddress(); |
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1015 |
} else { |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1016 |
// Use the underlying reverse host name resolution service. |
56542 | 1017 |
this.peerHost = getInetAddress().getHostName(); |
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1018 |
} |
31687 | 1019 |
} |
1020 |
||
5162
0dbedf4fdb8c
6614957: HttpsURLConnection not using the set SSLSocketFactory for creating all its Sockets
chegar
parents:
2068
diff
changeset
|
1021 |
// ONLY used by HttpsClient to setup the URI specified hostname |
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
1022 |
// |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
1023 |
// Please NOTE that this method MUST be called before calling to |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
1024 |
// SSLSocket.setSSLParameters(). Otherwise, the {@code host} parameter |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
1025 |
// may override SNIHostName in the customized server name indication. |
32649
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
31918
diff
changeset
|
1026 |
public synchronized void setHost(String host) { |
56542 | 1027 |
this.peerHost = host; |
1028 |
this.conContext.sslConfig.serverNames = |
|
1029 |
Utilities.addToSNIServerNameList( |
|
1030 |
conContext.sslConfig.serverNames, host); |
|
2 | 1031 |
} |
1032 |
||
1033 |
/** |
|
56542 | 1034 |
* Return whether we have reached end-of-file. |
1035 |
* |
|
1036 |
* If the socket is not connected, has been shutdown because of an error |
|
1037 |
* or has been closed, throw an Exception. |
|
2 | 1038 |
*/ |
56542 | 1039 |
synchronized boolean checkEOF() throws IOException { |
1040 |
if (conContext.isClosed()) { |
|
56571 | 1041 |
// throw new SocketException("Socket is closed"); |
1042 |
return true; |
|
56542 | 1043 |
} else if (conContext.isInputCloseNotified || conContext.isBroken) { |
1044 |
if (conContext.closeReason == null) { |
|
1045 |
return true; |
|
1046 |
} else { |
|
1047 |
throw new SSLException( |
|
1048 |
"Connection has been shutdown: " + conContext.closeReason, |
|
1049 |
conContext.closeReason); |
|
2 | 1050 |
} |
1051 |
} |
|
1052 |
||
56542 | 1053 |
return false; |
7043 | 1054 |
} |
1055 |
||
2 | 1056 |
/** |
56542 | 1057 |
* Check if we can write data to this socket. |
2 | 1058 |
*/ |
56542 | 1059 |
synchronized void checkWrite() throws IOException { |
1060 |
if (checkEOF() || conContext.isOutboundDone()) { |
|
1061 |
// we are at EOF, write must throw Exception |
|
1062 |
throw new SocketException("Connection closed"); |
|
1063 |
} |
|
1064 |
if (!isConnected) { |
|
1065 |
throw new SocketException("Socket is not connected"); |
|
2 | 1066 |
} |
1067 |
} |
|
1068 |
||
1069 |
/** |
|
56542 | 1070 |
* Handle an exception. |
2 | 1071 |
* |
56542 | 1072 |
* This method is called by top level exception handlers (in read(), |
1073 |
* write()) to make sure we always shutdown the connection correctly |
|
1074 |
* and do not pass runtime exception to the application. |
|
2 | 1075 |
* |
56542 | 1076 |
* This method never returns normally, it always throws an IOException. |
2 | 1077 |
*/ |
56542 | 1078 |
private void handleException(Exception cause) throws IOException { |
1079 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
1080 |
SSLLogger.warning("handling exception", cause); |
|
2 | 1081 |
} |
1082 |
||
56542 | 1083 |
// Don't close the Socket in case of timeouts or interrupts. |
1084 |
if (cause instanceof InterruptedIOException) { |
|
1085 |
throw (IOException)cause; |
|
1086 |
} |
|
2 | 1087 |
|
56542 | 1088 |
// need to perform error shutdown |
1089 |
boolean isSSLException = (cause instanceof SSLException); |
|
1090 |
Alert alert; |
|
1091 |
if (isSSLException) { |
|
1092 |
if (cause instanceof SSLHandshakeException) { |
|
1093 |
alert = Alert.HANDSHAKE_FAILURE; |
|
1094 |
} else { |
|
1095 |
alert = Alert.UNEXPECTED_MESSAGE; |
|
2 | 1096 |
} |
56542 | 1097 |
} else { |
1098 |
if (cause instanceof IOException) { |
|
1099 |
alert = Alert.UNEXPECTED_MESSAGE; |
|
1100 |
} else { |
|
1101 |
// RuntimeException |
|
1102 |
alert = Alert.INTERNAL_ERROR; |
|
2 | 1103 |
} |
1104 |
} |
|
56542 | 1105 |
conContext.fatal(alert, cause); |
2 | 1106 |
} |
1107 |
||
56712 | 1108 |
private Plaintext handleEOF(EOFException eofe) throws IOException { |
1109 |
if (requireCloseNotify || conContext.handshakeContext != null) { |
|
1110 |
SSLException ssle; |
|
1111 |
if (conContext.handshakeContext != null) { |
|
1112 |
ssle = new SSLHandshakeException( |
|
1113 |
"Remote host terminated the handshake"); |
|
1114 |
} else { |
|
1115 |
ssle = new SSLProtocolException( |
|
1116 |
"Remote host terminated the connection"); |
|
1117 |
} |
|
1118 |
||
1119 |
if (eofe != null) { |
|
1120 |
ssle.initCause(eofe); |
|
1121 |
} |
|
1122 |
throw ssle; |
|
1123 |
} else { |
|
1124 |
// treat as if we had received a close_notify |
|
1125 |
conContext.isInputCloseNotified = true; |
|
1126 |
conContext.transport.shutdown(); |
|
1127 |
||
1128 |
return Plaintext.PLAINTEXT_NULL; |
|
1129 |
} |
|
1130 |
} |
|
1131 |
||
1132 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1133 |
@Override |
56542 | 1134 |
public String getPeerHost() { |
1135 |
return peerHost; |
|
2 | 1136 |
} |
1137 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1138 |
@Override |
56542 | 1139 |
public int getPeerPort() { |
1140 |
return getPort(); |
|
2 | 1141 |
} |
1142 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1143 |
@Override |
56542 | 1144 |
public boolean useDelegatedTask() { |
1145 |
return false; |
|
2 | 1146 |
} |
1147 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1148 |
@Override |
56542 | 1149 |
public void shutdown() throws IOException { |
1150 |
if (!isClosed()) { |
|
1151 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
1152 |
SSLLogger.fine("close the underlying socket"); |
|
1153 |
} |
|
2 | 1154 |
|
56542 | 1155 |
try { |
1156 |
if (conContext.isInputCloseNotified) { |
|
1157 |
// Close the connection, no wait for more peer response. |
|
1158 |
closeSocket(false); |
|
1159 |
} else { |
|
1160 |
// Close the connection, may wait for peer close_notify. |
|
1161 |
closeSocket(true); |
|
1162 |
} |
|
1163 |
} finally { |
|
1164 |
tlsIsClosed = true; |
|
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
1165 |
} |
7043 | 1166 |
} |
2 | 1167 |
} |
1168 |
} |