author | ascarpino |
Fri, 25 May 2018 12:43:45 -0700 | |
branch | JDK-8145252-TLS13-branch |
changeset 56611 | f8f7e604e1f8 |
parent 56594 | 99e0f3f3f0e4 |
child 56712 | bad9f4c7eeec |
permissions | -rw-r--r-- |
2 | 1 |
/* |
56542 | 2 |
* Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.security.ssl; |
|
27 |
||
56542 | 28 |
import java.io.IOException; |
29 |
import java.io.InputStream; |
|
30 |
import java.io.InterruptedIOException; |
|
31 |
import java.io.OutputStream; |
|
32 |
import java.net.InetAddress; |
|
33 |
import java.net.InetSocketAddress; |
|
34 |
import java.net.Socket; |
|
35 |
import java.net.SocketAddress; |
|
36 |
import java.net.SocketException; |
|
37 |
import java.net.UnknownHostException; |
|
38 |
import java.nio.ByteBuffer; |
|
39 |
import java.util.List; |
|
42706
796cf076d69b
8170282: Enable ALPN parameters to be supplied during the TLS handshake
vinnie
parents:
38865
diff
changeset
|
40 |
import java.util.function.BiFunction; |
56542 | 41 |
import javax.net.ssl.HandshakeCompletedListener; |
42 |
import javax.net.ssl.SSLException; |
|
43 |
import javax.net.ssl.SSLHandshakeException; |
|
44 |
import javax.net.ssl.SSLParameters; |
|
45 |
import javax.net.ssl.SSLProtocolException; |
|
46 |
import javax.net.ssl.SSLServerSocket; |
|
47 |
import javax.net.ssl.SSLSession; |
|
48 |
import javax.net.ssl.SSLSocket; |
|
32834
e1dca5fe4de3
8137056: Move SharedSecrets and interface friends out of sun.misc
chegar
parents:
32649
diff
changeset
|
49 |
import jdk.internal.misc.JavaNetInetAddressAccess; |
e1dca5fe4de3
8137056: Move SharedSecrets and interface friends out of sun.misc
chegar
parents:
32649
diff
changeset
|
50 |
import jdk.internal.misc.SharedSecrets; |
31687 | 51 |
|
2 | 52 |
/** |
56542 | 53 |
* Implementation of an SSL socket. |
54 |
* <P> |
|
55 |
* This is a normal connection type socket, implementing SSL over some lower |
|
56 |
* level socket, such as TCP. Because it is layered over some lower level |
|
57 |
* socket, it MUST override all default socket methods. |
|
58 |
* <P> |
|
59 |
* This API offers a non-traditional option for establishing SSL |
|
2 | 60 |
* connections. You may first establish the connection directly, then pass |
61 |
* that connection to the SSL socket constructor with a flag saying which |
|
62 |
* role should be taken in the handshake protocol. (The two ends of the |
|
63 |
* connection must not choose the same role!) This allows setup of SSL |
|
64 |
* proxying or tunneling, and also allows the kind of "role reversal" |
|
65 |
* that is required for most FTP data transfers. |
|
66 |
* |
|
67 |
* @see javax.net.ssl.SSLSocket |
|
68 |
* @see SSLServerSocket |
|
69 |
* |
|
70 |
* @author David Brownell |
|
71 |
*/ |
|
56542 | 72 |
public final class SSLSocketImpl |
73 |
extends BaseSSLSocketImpl implements SSLTransport { |
|
2 | 74 |
|
56542 | 75 |
final SSLContextImpl sslContext; |
76 |
final TransportContext conContext; |
|
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
32834
diff
changeset
|
77 |
|
56542 | 78 |
private final AppInputStream appInput = new AppInputStream(); |
79 |
private final AppOutputStream appOutput = new AppOutputStream(); |
|
2 | 80 |
|
56542 | 81 |
private String peerHost; |
82 |
private boolean autoClose; |
|
83 |
private boolean isConnected = false; |
|
84 |
private boolean tlsIsClosed = false; |
|
30904 | 85 |
|
31687 | 86 |
/* |
87 |
* Is the local name service trustworthy? |
|
88 |
* |
|
89 |
* If the local name service is not trustworthy, reverse host name |
|
90 |
* resolution should not be performed for endpoint identification. |
|
91 |
*/ |
|
92 |
static final boolean trustNameService = |
|
56542 | 93 |
Utilities.getBooleanProperty("jdk.tls.trustNameService", false); |
31687 | 94 |
|
56542 | 95 |
/** |
96 |
* Package-private constructor used to instantiate an unconnected |
|
97 |
* socket. |
|
98 |
* |
|
99 |
* This instance is meant to set handshake state to use "client mode". |
|
100 |
*/ |
|
101 |
SSLSocketImpl(SSLContextImpl sslContext) { |
|
102 |
super(); |
|
103 |
this.sslContext = sslContext; |
|
104 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
105 |
this.conContext = new TransportContext(sslContext, this, |
|
106 |
new SSLSocketInputRecord(handshakeHash), |
|
107 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
108 |
} |
|
2 | 109 |
|
110 |
/** |
|
56542 | 111 |
* Package-private constructor used to instantiate a server socket. |
2 | 112 |
* |
56542 | 113 |
* This instance is meant to set handshake state to use "server mode". |
2 | 114 |
*/ |
56542 | 115 |
SSLSocketImpl(SSLContextImpl sslContext, SSLConfiguration sslConfig) { |
2 | 116 |
super(); |
56542 | 117 |
this.sslContext = sslContext; |
118 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
119 |
this.conContext = new TransportContext(sslContext, this, sslConfig, |
|
120 |
new SSLSocketInputRecord(handshakeHash), |
|
121 |
new SSLSocketOutputRecord(handshakeHash)); |
|
2 | 122 |
} |
123 |
||
124 |
/** |
|
56542 | 125 |
* Constructs an SSL connection to a named host at a specified |
126 |
* port, using the authentication context provided. |
|
2 | 127 |
* |
56542 | 128 |
* This endpoint acts as the client, and may rejoin an existing SSL session |
129 |
* if appropriate. |
|
2 | 130 |
*/ |
56542 | 131 |
SSLSocketImpl(SSLContextImpl sslContext, String peerHost, |
132 |
int peerPort) throws IOException, UnknownHostException { |
|
2 | 133 |
super(); |
56542 | 134 |
this.sslContext = sslContext; |
135 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
136 |
this.conContext = new TransportContext(sslContext, this, |
|
137 |
new SSLSocketInputRecord(handshakeHash), |
|
138 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
139 |
this.peerHost = peerHost; |
|
140 |
SocketAddress socketAddress = |
|
141 |
peerHost != null ? new InetSocketAddress(peerHost, peerPort) : |
|
142 |
new InetSocketAddress(InetAddress.getByName(null), peerPort); |
|
2 | 143 |
connect(socketAddress, 0); |
144 |
} |
|
145 |
||
146 |
/** |
|
56542 | 147 |
* Constructs an SSL connection to a server at a specified |
148 |
* address, and TCP port, using the authentication context |
|
149 |
* provided. |
|
2 | 150 |
* |
56542 | 151 |
* This endpoint acts as the client, and may rejoin an existing SSL |
152 |
* session if appropriate. |
|
2 | 153 |
*/ |
56542 | 154 |
SSLSocketImpl(SSLContextImpl sslContext, |
155 |
InetAddress address, int peerPort) throws IOException { |
|
2 | 156 |
super(); |
56542 | 157 |
this.sslContext = sslContext; |
158 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
159 |
this.conContext = new TransportContext(sslContext, this, |
|
160 |
new SSLSocketInputRecord(handshakeHash), |
|
161 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
2 | 162 |
|
56542 | 163 |
SocketAddress socketAddress = new InetSocketAddress(address, peerPort); |
2 | 164 |
connect(socketAddress, 0); |
165 |
} |
|
166 |
||
56542 | 167 |
/** |
168 |
* Constructs an SSL connection to a named host at a specified |
|
169 |
* port, using the authentication context provided. |
|
170 |
* |
|
171 |
* This endpoint acts as the client, and may rejoin an existing SSL |
|
172 |
* session if appropriate. |
|
2 | 173 |
*/ |
56542 | 174 |
SSLSocketImpl(SSLContextImpl sslContext, |
175 |
String peerHost, int peerPort, InetAddress localAddr, |
|
176 |
int localPort) throws IOException, UnknownHostException { |
|
2 | 177 |
super(); |
56542 | 178 |
this.sslContext = sslContext; |
179 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
180 |
this.conContext = new TransportContext(sslContext, this, |
|
181 |
new SSLSocketInputRecord(handshakeHash), |
|
182 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
183 |
this.peerHost = peerHost; |
|
2 | 184 |
|
56542 | 185 |
bind(new InetSocketAddress(localAddr, localPort)); |
186 |
SocketAddress socketAddress = |
|
187 |
peerHost != null ? new InetSocketAddress(peerHost, peerPort) : |
|
188 |
new InetSocketAddress(InetAddress.getByName(null), peerPort); |
|
189 |
connect(socketAddress, 0); |
|
2 | 190 |
} |
191 |
||
192 |
/** |
|
56542 | 193 |
* Constructs an SSL connection to a server at a specified |
194 |
* address, and TCP port, using the authentication context |
|
195 |
* provided. |
|
2 | 196 |
* |
56542 | 197 |
* This endpoint acts as the client, and may rejoin an existing SSL |
198 |
* session if appropriate. |
|
2 | 199 |
*/ |
56542 | 200 |
SSLSocketImpl(SSLContextImpl sslContext, |
201 |
InetAddress peerAddr, int peerPort, |
|
202 |
InetAddress localAddr, int localPort) throws IOException { |
|
203 |
super(); |
|
204 |
this.sslContext = sslContext; |
|
205 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
206 |
this.conContext = new TransportContext(sslContext, this, |
|
207 |
new SSLSocketInputRecord(handshakeHash), |
|
208 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
209 |
||
210 |
bind(new InetSocketAddress(localAddr, localPort)); |
|
211 |
SocketAddress socketAddress = new InetSocketAddress(peerAddr, peerPort); |
|
212 |
connect(socketAddress, 0); |
|
2 | 213 |
} |
214 |
||
215 |
/** |
|
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
216 |
* Creates a server mode {@link Socket} layered over an |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
217 |
* existing connected socket, and is able to read data which has |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
218 |
* already been consumed/removed from the {@link Socket}'s |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
219 |
* underlying {@link InputStream}. |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
220 |
*/ |
56542 | 221 |
SSLSocketImpl(SSLContextImpl sslContext, Socket sock, |
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
222 |
InputStream consumed, boolean autoClose) throws IOException { |
56542 | 223 |
|
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
224 |
super(sock, consumed); |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
225 |
// We always layer over a connected socket |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
226 |
if (!sock.isConnected()) { |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
227 |
throw new SocketException("Underlying socket is not connected"); |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
228 |
} |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
229 |
|
56542 | 230 |
this.sslContext = sslContext; |
231 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
232 |
this.conContext = new TransportContext(sslContext, this, |
|
233 |
new SSLSocketInputRecord(handshakeHash), |
|
234 |
new SSLSocketOutputRecord(handshakeHash), false); |
|
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
235 |
this.autoClose = autoClose; |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
236 |
doneConnect(); |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
237 |
} |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
238 |
|
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
239 |
/** |
56542 | 240 |
* Layer SSL traffic over an existing connection, rather than |
241 |
* creating a new connection. |
|
242 |
* |
|
243 |
* The existing connection may be used only for SSL traffic (using this |
|
244 |
* SSLSocket) until the SSLSocket.close() call returns. However, if a |
|
245 |
* protocol error is detected, that existing connection is automatically |
|
246 |
* closed. |
|
247 |
* <p> |
|
248 |
* This particular constructor always uses the socket in the |
|
249 |
* role of an SSL client. It may be useful in cases which start |
|
250 |
* using SSL after some initial data transfers, for example in some |
|
251 |
* SSL tunneling applications or as part of some kinds of application |
|
252 |
* protocols which negotiate use of a SSL based security. |
|
2 | 253 |
*/ |
56542 | 254 |
SSLSocketImpl(SSLContextImpl sslContext, Socket sock, |
255 |
String peerHost, int port, boolean autoClose) throws IOException { |
|
256 |
super(sock); |
|
257 |
// We always layer over a connected socket |
|
258 |
if (!sock.isConnected()) { |
|
259 |
throw new SocketException("Underlying socket is not connected"); |
|
260 |
} |
|
2 | 261 |
|
56542 | 262 |
this.sslContext = sslContext; |
263 |
HandshakeHash handshakeHash = new HandshakeHash(); |
|
264 |
this.conContext = new TransportContext(sslContext, this, |
|
265 |
new SSLSocketInputRecord(handshakeHash), |
|
266 |
new SSLSocketOutputRecord(handshakeHash), true); |
|
267 |
this.peerHost = peerHost; |
|
268 |
this.autoClose = autoClose; |
|
269 |
doneConnect(); |
|
2 | 270 |
} |
271 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
272 |
@Override |
56542 | 273 |
public void connect(SocketAddress endpoint, |
274 |
int timeout) throws IOException { |
|
2 | 275 |
|
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
276 |
if (isLayered()) { |
2 | 277 |
throw new SocketException("Already connected"); |
278 |
} |
|
279 |
||
280 |
if (!(endpoint instanceof InetSocketAddress)) { |
|
281 |
throw new SocketException( |
|
56542 | 282 |
"Cannot handle non-Inet socket addresses."); |
2 | 283 |
} |
284 |
||
285 |
super.connect(endpoint, timeout); |
|
286 |
doneConnect(); |
|
287 |
} |
|
288 |
||
56542 | 289 |
@Override |
290 |
public String[] getSupportedCipherSuites() { |
|
291 |
return CipherSuite.namesOf(sslContext.getSupportedCipherSuites()); |
|
292 |
} |
|
293 |
||
294 |
@Override |
|
295 |
public synchronized String[] getEnabledCipherSuites() { |
|
296 |
return CipherSuite.namesOf(conContext.sslConfig.enabledCipherSuites); |
|
297 |
} |
|
298 |
||
299 |
@Override |
|
300 |
public synchronized void setEnabledCipherSuites(String[] suites) { |
|
301 |
if (suites == null) { |
|
302 |
throw new IllegalArgumentException("CipherSuites cannot be null"); |
|
303 |
} |
|
304 |
||
305 |
conContext.sslConfig.enabledCipherSuites = |
|
306 |
CipherSuite.validValuesOf(suites); |
|
307 |
} |
|
308 |
||
309 |
@Override |
|
310 |
public String[] getSupportedProtocols() { |
|
311 |
return ProtocolVersion.toStringArray( |
|
56611 | 312 |
sslContext.getSupportedProtocolVersions()); |
56542 | 313 |
} |
314 |
||
315 |
@Override |
|
316 |
public synchronized String[] getEnabledProtocols() { |
|
317 |
return ProtocolVersion.toStringArray( |
|
318 |
conContext.sslConfig.enabledProtocols); |
|
319 |
} |
|
320 |
||
321 |
@Override |
|
322 |
public synchronized void setEnabledProtocols(String[] protocols) { |
|
323 |
if (protocols == null) { |
|
324 |
throw new IllegalArgumentException("Protocols cannot be null"); |
|
325 |
} |
|
326 |
||
327 |
conContext.sslConfig.enabledProtocols = |
|
328 |
ProtocolVersion.namesOf(protocols); |
|
329 |
} |
|
2 | 330 |
|
56542 | 331 |
@Override |
332 |
public synchronized SSLSession getSession() { |
|
333 |
try { |
|
334 |
// start handshaking, if failed, the connection will be closed. |
|
335 |
ensureNegotiated(); |
|
336 |
} catch (IOException ioe) { |
|
337 |
if (SSLLogger.isOn && SSLLogger.isOn("handshake")) { |
|
338 |
SSLLogger.severe("handshake failed", ioe); |
|
339 |
} |
|
340 |
||
341 |
return SSLSessionImpl.nullSession; |
|
342 |
} |
|
343 |
||
344 |
return conContext.conSession; |
|
345 |
} |
|
346 |
||
347 |
@Override |
|
348 |
public synchronized SSLSession getHandshakeSession() { |
|
349 |
if (conContext.handshakeContext != null) { |
|
350 |
return conContext.handshakeContext.handshakeSession; |
|
351 |
} |
|
30904 | 352 |
|
56542 | 353 |
return null; |
354 |
} |
|
355 |
||
356 |
@Override |
|
357 |
public synchronized void addHandshakeCompletedListener( |
|
358 |
HandshakeCompletedListener listener) { |
|
359 |
if (listener == null) { |
|
360 |
throw new IllegalArgumentException("listener is null"); |
|
361 |
} |
|
362 |
||
363 |
conContext.sslConfig.addHandshakeCompletedListener(listener); |
|
364 |
} |
|
365 |
||
366 |
@Override |
|
367 |
public synchronized void removeHandshakeCompletedListener( |
|
368 |
HandshakeCompletedListener listener) { |
|
369 |
if (listener == null) { |
|
370 |
throw new IllegalArgumentException("listener is null"); |
|
371 |
} |
|
372 |
||
373 |
conContext.sslConfig.removeHandshakeCompletedListener(listener); |
|
2 | 374 |
} |
375 |
||
56542 | 376 |
@Override |
377 |
public synchronized void startHandshake() throws IOException { |
|
378 |
checkWrite(); |
|
379 |
try { |
|
380 |
conContext.kickstart(); |
|
381 |
||
382 |
// All initial handshaking goes through this operation until we |
|
383 |
// have a valid SSL connection. |
|
384 |
// |
|
385 |
// Handle handshake messages only, need no application data. |
|
386 |
if (!conContext.isNegotiated) { |
|
387 |
readRecord(); |
|
388 |
} |
|
389 |
} catch (IOException ioe) { |
|
390 |
conContext.fatal(Alert.HANDSHAKE_FAILURE, |
|
391 |
"Couldn't kickstart handshaking", ioe); |
|
392 |
} catch (Exception oe) { // including RuntimeException |
|
393 |
handleException(oe); |
|
394 |
} |
|
395 |
} |
|
396 |
||
397 |
@Override |
|
398 |
public synchronized void setUseClientMode(boolean mode) { |
|
399 |
conContext.setUseClientMode(mode); |
|
400 |
} |
|
401 |
||
402 |
@Override |
|
403 |
public synchronized boolean getUseClientMode() { |
|
404 |
return conContext.sslConfig.isClientMode; |
|
405 |
} |
|
406 |
||
407 |
@Override |
|
408 |
public synchronized void setNeedClientAuth(boolean need) { |
|
409 |
conContext.sslConfig.clientAuthType = |
|
410 |
(need ? ClientAuthType.CLIENT_AUTH_REQUIRED : |
|
411 |
ClientAuthType.CLIENT_AUTH_NONE); |
|
412 |
} |
|
413 |
||
414 |
@Override |
|
415 |
public synchronized boolean getNeedClientAuth() { |
|
416 |
return (conContext.sslConfig.clientAuthType == |
|
417 |
ClientAuthType.CLIENT_AUTH_REQUIRED); |
|
418 |
} |
|
419 |
||
420 |
@Override |
|
421 |
public synchronized void setWantClientAuth(boolean want) { |
|
422 |
conContext.sslConfig.clientAuthType = |
|
423 |
(want ? ClientAuthType.CLIENT_AUTH_REQUESTED : |
|
424 |
ClientAuthType.CLIENT_AUTH_NONE); |
|
2 | 425 |
} |
426 |
||
56542 | 427 |
@Override |
428 |
public synchronized boolean getWantClientAuth() { |
|
429 |
return (conContext.sslConfig.clientAuthType == |
|
430 |
ClientAuthType.CLIENT_AUTH_REQUESTED); |
|
431 |
} |
|
432 |
||
433 |
@Override |
|
434 |
public synchronized void setEnableSessionCreation(boolean flag) { |
|
435 |
conContext.sslConfig.enableSessionCreation = flag; |
|
436 |
} |
|
437 |
||
438 |
@Override |
|
439 |
public synchronized boolean getEnableSessionCreation() { |
|
440 |
return conContext.sslConfig.enableSessionCreation; |
|
441 |
} |
|
442 |
||
443 |
@Override |
|
444 |
public synchronized boolean isClosed() { |
|
445 |
return tlsIsClosed && conContext.isClosed(); |
|
2 | 446 |
} |
447 |
||
56542 | 448 |
@Override |
449 |
public synchronized void close() throws IOException { |
|
450 |
try { |
|
451 |
conContext.close(); |
|
452 |
} catch (IOException ioe) { |
|
453 |
// ignore the exception |
|
454 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
455 |
SSLLogger.warning("connection context closure failed", ioe); |
|
456 |
} |
|
457 |
} finally { |
|
458 |
tlsIsClosed = true; |
|
459 |
} |
|
460 |
} |
|
461 |
||
462 |
@Override |
|
463 |
public synchronized InputStream getInputStream() throws IOException { |
|
464 |
if (isClosed() || conContext.isInboundDone()) { |
|
465 |
throw new SocketException("Socket or inbound is closed"); |
|
466 |
} |
|
467 |
||
468 |
if (!isConnected) { |
|
469 |
throw new SocketException("Socket is not connected"); |
|
470 |
} |
|
471 |
||
472 |
return appInput; |
|
473 |
} |
|
474 |
||
475 |
private synchronized void ensureNegotiated() throws IOException { |
|
56594 | 476 |
if (conContext.isNegotiated || |
477 |
conContext.isClosed() || conContext.isBroken) { |
|
56542 | 478 |
return; |
479 |
} |
|
480 |
||
481 |
startHandshake(); |
|
2 | 482 |
} |
483 |
||
56542 | 484 |
private class AppInputStream extends InputStream { |
485 |
// One element array used to implement the single byte read() method |
|
486 |
private final byte[] oneByte = new byte[1]; |
|
487 |
||
488 |
// the temporary buffer used to read network |
|
489 |
private ByteBuffer buffer; |
|
490 |
||
491 |
// Is application data available in the stream? |
|
492 |
private boolean appDataIsAvailable; |
|
493 |
||
494 |
AppInputStream() { |
|
495 |
this.appDataIsAvailable = false; |
|
496 |
this.buffer = ByteBuffer.allocate(4096); |
|
497 |
} |
|
2 | 498 |
|
56542 | 499 |
/** |
500 |
* Return the minimum number of bytes that can be read |
|
501 |
* without blocking. |
|
2 | 502 |
*/ |
56542 | 503 |
@Override |
504 |
public int available() throws IOException { |
|
505 |
// Currently not synchronized. |
|
506 |
if ((!appDataIsAvailable) || checkEOF()) { |
|
507 |
return 0; |
|
508 |
} |
|
509 |
||
510 |
return buffer.remaining(); |
|
511 |
} |
|
512 |
||
513 |
/** |
|
514 |
* Read a single byte, returning -1 on non-fault EOF status. |
|
515 |
*/ |
|
516 |
@Override |
|
517 |
public synchronized int read() throws IOException { |
|
518 |
int n = read(oneByte, 0, 1); |
|
519 |
if (n <= 0) { // EOF |
|
520 |
return -1; |
|
521 |
} |
|
522 |
||
523 |
return oneByte[0] & 0xFF; |
|
524 |
} |
|
2 | 525 |
|
56542 | 526 |
/** |
527 |
* Reads up to {@code len} bytes of data from the input stream |
|
528 |
* into an array of bytes. |
|
529 |
* |
|
530 |
* An attempt is made to read as many as {@code len} bytes, but a |
|
531 |
* smaller number may be read. The number of bytes actually read |
|
532 |
* is returned as an integer. |
|
533 |
* |
|
534 |
* If the layer above needs more data, it asks for more, so we |
|
535 |
* are responsible only for blocking to fill at most one buffer, |
|
536 |
* and returning "-1" on non-fault EOF status. |
|
537 |
*/ |
|
538 |
@Override |
|
539 |
public synchronized int read(byte[] b, int off, int len) |
|
540 |
throws IOException { |
|
541 |
if (b == null) { |
|
542 |
throw new NullPointerException("the target buffer is null"); |
|
543 |
} else if (off < 0 || len < 0 || len > b.length - off) { |
|
544 |
throw new IndexOutOfBoundsException( |
|
545 |
"buffer length: " + b.length + ", offset; " + off + |
|
546 |
", bytes to read:" + len); |
|
547 |
} else if (len == 0) { |
|
548 |
return 0; |
|
549 |
} |
|
2 | 550 |
|
56542 | 551 |
if (checkEOF()) { |
552 |
return -1; |
|
553 |
} |
|
554 |
||
555 |
// start handshaking if the connection has not been negotiated. |
|
56594 | 556 |
if (!conContext.isNegotiated && |
557 |
!conContext.isClosed() && !conContext.isBroken) { |
|
56542 | 558 |
ensureNegotiated(); |
559 |
} |
|
2 | 560 |
|
56542 | 561 |
// Read the available bytes at first. |
562 |
int remains = available(); |
|
563 |
if (remains > 0) { |
|
564 |
int howmany = Math.min(remains, len); |
|
565 |
buffer.get(b, off, howmany); |
|
566 |
||
567 |
return howmany; |
|
568 |
} |
|
569 |
||
570 |
appDataIsAvailable = false; |
|
571 |
int volume = 0; |
|
572 |
try { |
|
573 |
while (volume == 0) { |
|
574 |
// Clear the buffer for a new record reading. |
|
575 |
buffer.clear(); |
|
2 | 576 |
|
56542 | 577 |
// grow the buffer if needed |
578 |
int inLen = conContext.inputRecord.bytesInCompletePacket(); |
|
579 |
if (inLen < 0) { // EOF |
|
580 |
// treat like receiving a close_notify warning message. |
|
581 |
conContext.isInputCloseNotified = true; |
|
582 |
conContext.closeInbound(); |
|
583 |
return -1; |
|
584 |
} |
|
585 |
||
586 |
// Is this packet bigger than SSL/TLS normally allows? |
|
587 |
if (inLen > SSLRecord.maxLargeRecordSize) { |
|
588 |
throw new SSLProtocolException( |
|
589 |
"Illegal packet size: " + inLen); |
|
590 |
} |
|
591 |
||
592 |
if (inLen > buffer.remaining()) { |
|
593 |
buffer = ByteBuffer.allocate(inLen); |
|
30904 | 594 |
} |
2 | 595 |
|
56542 | 596 |
volume = readRecord(buffer); |
597 |
buffer.flip(); |
|
598 |
if (volume < 0) { // EOF |
|
599 |
// treat like receiving a close_notify warning message. |
|
600 |
conContext.isInputCloseNotified = true; |
|
601 |
conContext.closeInbound(); |
|
602 |
return -1; |
|
603 |
} else if (volume > 0) { |
|
604 |
appDataIsAvailable = true; |
|
605 |
break; |
|
606 |
} |
|
607 |
} |
|
608 |
||
609 |
// file the destination buffer |
|
610 |
int howmany = Math.min(len, volume); |
|
611 |
buffer.get(b, off, howmany); |
|
612 |
return howmany; |
|
613 |
} catch (Exception e) { // including RuntimeException |
|
614 |
// shutdown and rethrow (wrapped) exception as appropriate |
|
615 |
handleException(e); |
|
616 |
||
617 |
// dummy for compiler |
|
618 |
return -1; |
|
619 |
} |
|
620 |
} |
|
621 |
||
622 |
/** |
|
623 |
* Skip n bytes. |
|
624 |
* |
|
625 |
* This implementation is somewhat less efficient than possible, but |
|
626 |
* not badly so (redundant copy). We reuse the read() code to keep |
|
627 |
* things simpler. Note that SKIP_ARRAY is static and may garbled by |
|
628 |
* concurrent use, but we are not interested in the data anyway. |
|
629 |
*/ |
|
630 |
@Override |
|
631 |
public synchronized long skip(long n) throws IOException { |
|
632 |
// dummy array used to implement skip() |
|
633 |
byte[] skipArray = new byte[256]; |
|
634 |
||
635 |
long skipped = 0; |
|
636 |
while (n > 0) { |
|
637 |
int len = (int)Math.min(n, skipArray.length); |
|
638 |
int r = read(skipArray, 0, len); |
|
639 |
if (r <= 0) { |
|
640 |
break; |
|
641 |
} |
|
642 |
n -= r; |
|
643 |
skipped += r; |
|
644 |
} |
|
645 |
||
646 |
return skipped; |
|
647 |
} |
|
648 |
||
649 |
@Override |
|
650 |
public void close() throws IOException { |
|
651 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
652 |
SSLLogger.finest("Closing input stream"); |
|
2 | 653 |
} |
56542 | 654 |
|
655 |
conContext.closeInbound(); |
|
656 |
} |
|
657 |
} |
|
658 |
||
659 |
@Override |
|
660 |
public synchronized OutputStream getOutputStream() throws IOException { |
|
661 |
if (isClosed() || conContext.isOutboundDone()) { |
|
662 |
throw new SocketException("Socket or outbound is closed"); |
|
663 |
} |
|
664 |
||
665 |
if (!isConnected) { |
|
666 |
throw new SocketException("Socket is not connected"); |
|
667 |
} |
|
668 |
||
669 |
return appOutput; |
|
670 |
} |
|
671 |
||
672 |
private class AppOutputStream extends OutputStream { |
|
673 |
// One element array used to implement the write(byte) method |
|
674 |
private final byte[] oneByte = new byte[1]; |
|
675 |
||
676 |
@Override |
|
677 |
public void write(int i) throws IOException { |
|
678 |
oneByte[0] = (byte)i; |
|
679 |
write(oneByte, 0, 1); |
|
680 |
} |
|
681 |
||
682 |
@Override |
|
683 |
public synchronized void write(byte[] b, |
|
684 |
int off, int len) throws IOException { |
|
685 |
if (b == null) { |
|
686 |
throw new NullPointerException("the source buffer is null"); |
|
687 |
} else if (off < 0 || len < 0 || len > b.length - off) { |
|
688 |
throw new IndexOutOfBoundsException( |
|
689 |
"buffer length: " + b.length + ", offset; " + off + |
|
690 |
", bytes to read:" + len); |
|
691 |
} else if (len == 0) { |
|
692 |
return; |
|
693 |
} |
|
694 |
||
695 |
// start handshaking if the connection has not been negotiated. |
|
56594 | 696 |
if (!conContext.isNegotiated && |
697 |
!conContext.isClosed() && !conContext.isBroken) { |
|
56542 | 698 |
ensureNegotiated(); |
699 |
} |
|
700 |
||
701 |
// check if the Socket is invalid (error or closed) |
|
702 |
checkWrite(); |
|
703 |
||
704 |
// Delegate the writing to the underlying socket. |
|
705 |
try { |
|
706 |
writeRecord(b, off, len); |
|
707 |
checkWrite(); |
|
708 |
} catch (IOException ioe) { |
|
709 |
// shutdown and rethrow (wrapped) exception as appropriate |
|
710 |
handleException(ioe); |
|
711 |
} |
|
712 |
} |
|
713 |
||
714 |
@Override |
|
715 |
public void close() throws IOException { |
|
716 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
717 |
SSLLogger.finest("Closing output stream"); |
|
718 |
} |
|
719 |
||
720 |
conContext.closeOutbound(); |
|
721 |
} |
|
722 |
} |
|
723 |
||
724 |
@Override |
|
725 |
public synchronized SSLParameters getSSLParameters() { |
|
726 |
return conContext.sslConfig.getSSLParameters(); |
|
727 |
} |
|
728 |
||
729 |
@Override |
|
730 |
public synchronized void setSSLParameters(SSLParameters params) { |
|
731 |
conContext.sslConfig.setSSLParameters(params); |
|
732 |
||
733 |
if (conContext.sslConfig.maximumPacketSize != 0) { |
|
734 |
conContext.outputRecord.changePacketSize( |
|
735 |
conContext.sslConfig.maximumPacketSize); |
|
736 |
} |
|
737 |
} |
|
738 |
||
739 |
@Override |
|
740 |
public synchronized String getApplicationProtocol() { |
|
741 |
return conContext.applicationProtocol; |
|
742 |
} |
|
743 |
||
744 |
@Override |
|
745 |
public synchronized String getHandshakeApplicationProtocol() { |
|
746 |
if (conContext.handshakeContext != null) { |
|
747 |
return conContext.handshakeContext.applicationProtocol; |
|
748 |
} |
|
749 |
||
750 |
return null; |
|
751 |
} |
|
752 |
||
753 |
@Override |
|
754 |
public synchronized void setHandshakeApplicationProtocolSelector( |
|
755 |
BiFunction<SSLSocket, List<String>, String> selector) { |
|
756 |
conContext.sslConfig.socketAPSelector = selector; |
|
757 |
} |
|
758 |
||
759 |
@Override |
|
760 |
public synchronized BiFunction<SSLSocket, List<String>, String> |
|
761 |
getHandshakeApplicationProtocolSelector() { |
|
762 |
return conContext.sslConfig.socketAPSelector; |
|
763 |
} |
|
764 |
||
765 |
private synchronized void writeRecord(byte[] source, |
|
766 |
int offset, int length) throws IOException { |
|
767 |
if (conContext.isOutboundDone()) { |
|
768 |
throw new SocketException("Socket or outbound closed"); |
|
2 | 769 |
} |
770 |
||
771 |
// |
|
772 |
// Don't bother to really write empty records. We went this |
|
773 |
// far to drive the handshake machinery, for correctness; not |
|
774 |
// writing empty records improves performance by cutting CPU |
|
775 |
// time and network resource usage. However, some protocol |
|
776 |
// implementations are fragile and don't like to see empty |
|
777 |
// records, so this also increases robustness. |
|
778 |
// |
|
30904 | 779 |
if (length > 0) { |
780 |
try { |
|
56542 | 781 |
conContext.outputRecord.deliver(source, offset, length); |
30904 | 782 |
} catch (SSLHandshakeException she) { |
783 |
// may be record sequence number overflow |
|
56542 | 784 |
conContext.fatal(Alert.HANDSHAKE_FAILURE, she); |
30904 | 785 |
} catch (IOException e) { |
56542 | 786 |
conContext.fatal(Alert.UNEXPECTED_MESSAGE, e); |
34528
279258fb670b
8141651: Deadlock in sun.security.ssl.SSLSocketImpl
xuelei
parents:
34380
diff
changeset
|
787 |
} |
2 | 788 |
} |
7039 | 789 |
|
56542 | 790 |
// Is the sequence number is nearly overflow? |
791 |
if (conContext.outputRecord.seqNumIsHuge()) { |
|
792 |
tryKeyUpdate(); |
|
10915 | 793 |
} |
794 |
} |
|
2 | 795 |
|
56542 | 796 |
private synchronized int readRecord() throws IOException { |
797 |
while (!conContext.isInboundDone()) { |
|
798 |
try { |
|
799 |
Plaintext plainText = decode(null); |
|
800 |
if ((plainText.contentType == ContentType.HANDSHAKE.id) && |
|
801 |
conContext.isNegotiated) { |
|
802 |
return 0; |
|
803 |
} |
|
804 |
} catch (SSLException ssle) { |
|
805 |
throw ssle; |
|
806 |
} catch (IOException ioe) { |
|
807 |
throw new SSLException("readRecord", ioe); |
|
808 |
} |
|
2 | 809 |
} |
30904 | 810 |
|
56542 | 811 |
return -1; |
30904 | 812 |
} |
813 |
||
56542 | 814 |
private synchronized int readRecord(ByteBuffer buffer) throws IOException { |
815 |
while (!conContext.isInboundDone()) { |
|
816 |
/* |
|
817 |
* clean the buffer and check if it is too small, e.g. because |
|
818 |
* the AppInputStream did not have the chance to see the |
|
819 |
* current packet length but rather something like that of the |
|
820 |
* handshake before. In that case we return 0 at this point to |
|
821 |
* give the caller the chance to adjust the buffer. |
|
822 |
*/ |
|
823 |
buffer.clear(); |
|
824 |
int inLen = conContext.inputRecord.bytesInCompletePacket(); |
|
825 |
if (inLen < 0) { // EOF |
|
826 |
return -1; |
|
827 |
} |
|
30904 | 828 |
|
56542 | 829 |
if (buffer.remaining() < inLen) { |
830 |
return 0; |
|
831 |
} |
|
7039 | 832 |
|
56542 | 833 |
try { |
834 |
Plaintext plainText = decode(buffer); |
|
835 |
if (plainText.contentType == ContentType.APPLICATION_DATA.id) { |
|
836 |
return buffer.position(); |
|
30904 | 837 |
} |
56542 | 838 |
} catch (SSLException ssle) { |
839 |
throw ssle; |
|
840 |
} catch (IOException ioe) { |
|
841 |
throw new SSLException("readRecord", ioe); |
|
842 |
} |
|
7039 | 843 |
} |
844 |
||
56542 | 845 |
// |
846 |
// couldn't read, due to some kind of error |
|
847 |
// |
|
848 |
return -1; |
|
849 |
} |
|
7039 | 850 |
|
56542 | 851 |
private Plaintext decode(ByteBuffer destination) throws IOException { |
852 |
Plaintext plainText; |
|
853 |
if (destination == null) { |
|
854 |
plainText = SSLTransport.decode(conContext, |
|
855 |
null, 0, 0, null, 0, 0); |
|
856 |
} else { |
|
857 |
plainText = SSLTransport.decode(conContext, |
|
858 |
null, 0, 0, new ByteBuffer[]{destination}, 0, 1); |
|
7039 | 859 |
} |
30904 | 860 |
|
56542 | 861 |
// Is the sequence number is nearly overflow? |
862 |
if (plainText != Plaintext.PLAINTEXT_NULL && |
|
863 |
conContext.inputRecord.seqNumIsHuge()) { |
|
864 |
tryKeyUpdate(); |
|
865 |
} |
|
30904 | 866 |
|
56542 | 867 |
return plainText; |
2 | 868 |
} |
869 |
||
870 |
/** |
|
56542 | 871 |
* Try renegotiation or key update for sequence number wrap. |
872 |
* |
|
873 |
* Note that in order to maintain the handshake status properly, we check |
|
874 |
* the sequence number after the last record reading/writing process. As |
|
875 |
* we request renegotiation or close the connection for wrapped sequence |
|
876 |
* number when there is enough sequence number space left to handle a few |
|
877 |
* more records, so the sequence number of the last record cannot be |
|
878 |
* wrapped. |
|
2 | 879 |
*/ |
56542 | 880 |
private void tryKeyUpdate() throws IOException { |
881 |
// Don't bother to kickstart the renegotiation or key update when the |
|
882 |
// local is asking for it. |
|
883 |
if ((conContext.handshakeContext == null) && |
|
884 |
!conContext.isClosed() && !conContext.isBroken) { |
|
885 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
886 |
SSLLogger.finest("key update to wrap sequence number"); |
|
887 |
} |
|
888 |
conContext.keyUpdate(); |
|
889 |
} |
|
2 | 890 |
} |
891 |
||
56542 | 892 |
private void closeSocket(boolean selfInitiated) throws IOException { |
893 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
894 |
SSLLogger.fine("close the ssl connection " + |
|
895 |
(selfInitiated ? "(initiative)" : "(passive)")); |
|
2 | 896 |
} |
897 |
||
56542 | 898 |
if (autoClose || !isLayered()) { |
899 |
super.close(); |
|
900 |
} else if (selfInitiated) { |
|
901 |
// wait for close_notify alert to clear input stream. |
|
902 |
waitForClose(); |
|
903 |
} |
|
904 |
} |
|
905 |
||
906 |
/** |
|
907 |
* Wait for close_notify alert for a graceful closure. |
|
908 |
* |
|
909 |
* [RFC 5246] If the application protocol using TLS provides that any |
|
910 |
* data may be carried over the underlying transport after the TLS |
|
911 |
* connection is closed, the TLS implementation must receive the responding |
|
912 |
* close_notify alert before indicating to the application layer that |
|
913 |
* the TLS connection has ended. If the application protocol will not |
|
914 |
* transfer any additional data, but will only close the underlying |
|
915 |
* transport connection, then the implementation MAY choose to close the |
|
916 |
* transport without waiting for the responding close_notify. |
|
917 |
*/ |
|
918 |
private void waitForClose() throws IOException { |
|
919 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
920 |
SSLLogger.fine("wait for close_notify or alert"); |
|
2 | 921 |
} |
34380
2b2609379881
8144093: JEP 244/8051498 - TLS Application-Layer Protocol Negotiation Extension
vinnie
parents:
32834
diff
changeset
|
922 |
|
56542 | 923 |
while (!conContext.isInboundDone()) { |
924 |
try { |
|
925 |
Plaintext plainText = decode(null); |
|
926 |
// discard and continue |
|
927 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
928 |
SSLLogger.finest( |
|
929 |
"discard plaintext while waiting for close", plainText); |
|
930 |
} |
|
931 |
} catch (Exception e) { // including RuntimeException |
|
932 |
handleException(e); |
|
2 | 933 |
} |
934 |
} |
|
935 |
} |
|
936 |
||
937 |
/** |
|
56542 | 938 |
* Initialize the handshaker and socket streams. |
2 | 939 |
* |
56542 | 940 |
* Called by connect, the layered constructor, and SSLServerSocket. |
2 | 941 |
*/ |
56542 | 942 |
synchronized void doneConnect() throws IOException { |
943 |
// In server mode, it is not necessary to set host and serverNames. |
|
944 |
// Otherwise, would require a reverse DNS lookup to get the hostname. |
|
945 |
if ((peerHost == null) || (peerHost.length() == 0)) { |
|
946 |
boolean useNameService = |
|
947 |
trustNameService && conContext.sslConfig.isClientMode; |
|
948 |
useImplicitHost(useNameService); |
|
949 |
} else { |
|
950 |
conContext.sslConfig.serverNames = |
|
951 |
Utilities.addToSNIServerNameList( |
|
952 |
conContext.sslConfig.serverNames, peerHost); |
|
2 | 953 |
} |
954 |
||
56542 | 955 |
InputStream sockInput = super.getInputStream(); |
956 |
conContext.inputRecord.setReceiverStream(sockInput); |
|
2 | 957 |
|
56542 | 958 |
OutputStream sockOutput = super.getOutputStream(); |
959 |
conContext.inputRecord.setDeliverStream(sockOutput); |
|
960 |
conContext.outputRecord.setDeliverStream(sockOutput); |
|
2 | 961 |
|
56542 | 962 |
this.isConnected = true; |
2 | 963 |
} |
964 |
||
56542 | 965 |
private void useImplicitHost(boolean useNameService) { |
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
966 |
// Note: If the local name service is not trustworthy, reverse |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
967 |
// host name resolution should not be performed for endpoint |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
968 |
// identification. Use the application original specified |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
969 |
// hostname or IP address instead. |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
970 |
|
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
971 |
// Get the original hostname via jdk.internal.misc.SharedSecrets |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
972 |
InetAddress inetAddress = getInetAddress(); |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
973 |
if (inetAddress == null) { // not connected |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
974 |
return; |
31687 | 975 |
} |
976 |
||
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
977 |
JavaNetInetAddressAccess jna = |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
978 |
SharedSecrets.getJavaNetInetAddressAccess(); |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
979 |
String originalHostname = jna.getOriginalHostName(inetAddress); |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
980 |
if ((originalHostname != null) && |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
981 |
(originalHostname.length() != 0)) { |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
982 |
|
56542 | 983 |
this.peerHost = originalHostname; |
984 |
if (conContext.sslConfig.serverNames.isEmpty() && |
|
985 |
!conContext.sslConfig.noSniExtension) { |
|
986 |
conContext.sslConfig.serverNames = |
|
987 |
Utilities.addToSNIServerNameList( |
|
988 |
conContext.sslConfig.serverNames, peerHost); |
|
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
989 |
} |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
990 |
|
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
991 |
return; |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
992 |
} |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
993 |
|
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
994 |
// No explicitly specified hostname, no server name indication. |
56542 | 995 |
if (!useNameService) { |
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
996 |
// The local name service is not trustworthy, use IP address. |
56542 | 997 |
this.peerHost = inetAddress.getHostAddress(); |
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
998 |
} else { |
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
999 |
// Use the underlying reverse host name resolution service. |
56542 | 1000 |
this.peerHost = getInetAddress().getHostName(); |
37601
6517589dcc94
8144566: Custom HostnameVerifier disables SNI extension
xuelei
parents:
36641
diff
changeset
|
1001 |
} |
31687 | 1002 |
} |
1003 |
||
5162
0dbedf4fdb8c
6614957: HttpsURLConnection not using the set SSLSocketFactory for creating all its Sockets
chegar
parents:
2068
diff
changeset
|
1004 |
// ONLY used by HttpsClient to setup the URI specified hostname |
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
1005 |
// |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
1006 |
// Please NOTE that this method MUST be called before calling to |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
1007 |
// SSLSocket.setSSLParameters(). Otherwise, the {@code host} parameter |
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
1008 |
// may override SNIHostName in the customized server name indication. |
32649
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
31918
diff
changeset
|
1009 |
public synchronized void setHost(String host) { |
56542 | 1010 |
this.peerHost = host; |
1011 |
this.conContext.sslConfig.serverNames = |
|
1012 |
Utilities.addToSNIServerNameList( |
|
1013 |
conContext.sslConfig.serverNames, host); |
|
2 | 1014 |
} |
1015 |
||
1016 |
/** |
|
56542 | 1017 |
* Return whether we have reached end-of-file. |
1018 |
* |
|
1019 |
* If the socket is not connected, has been shutdown because of an error |
|
1020 |
* or has been closed, throw an Exception. |
|
2 | 1021 |
*/ |
56542 | 1022 |
synchronized boolean checkEOF() throws IOException { |
1023 |
if (conContext.isClosed()) { |
|
56571 | 1024 |
// throw new SocketException("Socket is closed"); |
1025 |
return true; |
|
56542 | 1026 |
} else if (conContext.isInputCloseNotified || conContext.isBroken) { |
1027 |
if (conContext.closeReason == null) { |
|
1028 |
return true; |
|
1029 |
} else { |
|
1030 |
throw new SSLException( |
|
1031 |
"Connection has been shutdown: " + conContext.closeReason, |
|
1032 |
conContext.closeReason); |
|
2 | 1033 |
} |
1034 |
} |
|
1035 |
||
56542 | 1036 |
return false; |
7043 | 1037 |
} |
1038 |
||
2 | 1039 |
/** |
56542 | 1040 |
* Check if we can write data to this socket. |
2 | 1041 |
*/ |
56542 | 1042 |
synchronized void checkWrite() throws IOException { |
1043 |
if (checkEOF() || conContext.isOutboundDone()) { |
|
1044 |
// we are at EOF, write must throw Exception |
|
1045 |
throw new SocketException("Connection closed"); |
|
1046 |
} |
|
1047 |
if (!isConnected) { |
|
1048 |
throw new SocketException("Socket is not connected"); |
|
2 | 1049 |
} |
1050 |
} |
|
1051 |
||
1052 |
/** |
|
56542 | 1053 |
* Handle an exception. |
2 | 1054 |
* |
56542 | 1055 |
* This method is called by top level exception handlers (in read(), |
1056 |
* write()) to make sure we always shutdown the connection correctly |
|
1057 |
* and do not pass runtime exception to the application. |
|
2 | 1058 |
* |
56542 | 1059 |
* This method never returns normally, it always throws an IOException. |
2 | 1060 |
*/ |
56542 | 1061 |
private void handleException(Exception cause) throws IOException { |
1062 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
1063 |
SSLLogger.warning("handling exception", cause); |
|
2 | 1064 |
} |
1065 |
||
56542 | 1066 |
// Don't close the Socket in case of timeouts or interrupts. |
1067 |
if (cause instanceof InterruptedIOException) { |
|
1068 |
throw (IOException)cause; |
|
1069 |
} |
|
2 | 1070 |
|
56542 | 1071 |
// need to perform error shutdown |
1072 |
boolean isSSLException = (cause instanceof SSLException); |
|
1073 |
Alert alert; |
|
1074 |
if (isSSLException) { |
|
1075 |
if (cause instanceof SSLHandshakeException) { |
|
1076 |
alert = Alert.HANDSHAKE_FAILURE; |
|
1077 |
} else { |
|
1078 |
alert = Alert.UNEXPECTED_MESSAGE; |
|
2 | 1079 |
} |
56542 | 1080 |
} else { |
1081 |
if (cause instanceof IOException) { |
|
1082 |
alert = Alert.UNEXPECTED_MESSAGE; |
|
1083 |
} else { |
|
1084 |
// RuntimeException |
|
1085 |
alert = Alert.INTERNAL_ERROR; |
|
2 | 1086 |
} |
1087 |
} |
|
56542 | 1088 |
conContext.fatal(alert, cause); |
2 | 1089 |
} |
1090 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1091 |
@Override |
56542 | 1092 |
public String getPeerHost() { |
1093 |
return peerHost; |
|
2 | 1094 |
} |
1095 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1096 |
@Override |
56542 | 1097 |
public int getPeerPort() { |
1098 |
return getPort(); |
|
2 | 1099 |
} |
1100 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1101 |
@Override |
56542 | 1102 |
public boolean useDelegatedTask() { |
1103 |
return false; |
|
2 | 1104 |
} |
1105 |
||
14664
e71aa0962e70
8003950: Adds missing Override annotations and removes unnecessary imports in sun.security.ssl
xuelei
parents:
14194
diff
changeset
|
1106 |
@Override |
56542 | 1107 |
public void shutdown() throws IOException { |
1108 |
if (!isClosed()) { |
|
1109 |
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { |
|
1110 |
SSLLogger.fine("close the underlying socket"); |
|
1111 |
} |
|
2 | 1112 |
|
56542 | 1113 |
try { |
1114 |
if (conContext.isInputCloseNotified) { |
|
1115 |
// Close the connection, no wait for more peer response. |
|
1116 |
closeSocket(false); |
|
1117 |
} else { |
|
1118 |
// Close the connection, may wait for peer close_notify. |
|
1119 |
closeSocket(true); |
|
1120 |
} |
|
1121 |
} finally { |
|
1122 |
tlsIsClosed = true; |
|
14194
971f46db533d
7068321: Support TLS Server Name Indication (SNI) Extension in JSSE Server
xuelei
parents:
13815
diff
changeset
|
1123 |
} |
7043 | 1124 |
} |
2 | 1125 |
} |
1126 |
} |