jdk-sandbox: comparison src/java.base/share/classes/sun/security/ssl/SSLServerSocketImpl.java

equal deleted inserted replaced

-:92cbbfc996f3
+:56aaa6cb3693
 /*
-* Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+* Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */
 package sun.security.ssl;
 import java.io.IOException;
 import java.net.InetAddress;
 import java.net.Socket;
+import javax.net.ssl.SSLParameters;
-import java.security.AlgorithmConstraints;
-import java.util.*;
-import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLServerSocket;
-import javax.net.ssl.SSLParameters;
-import javax.net.ssl.SNIMatcher;
 /**
 * This class provides a simple way for servers to support conventional
 * use of the Secure Sockets Layer (SSL).  Application code uses an
 * SSLServerSocketImpl exactly like it uses a regular TCP ServerSocket; the
 * @see SSLSocketImpl
 * @see SSLServerSocketFactoryImpl
 *
 * @author David Brownell
 */
-final
+final class SSLServerSocketImpl extends SSLServerSocket {
-class SSLServerSocketImpl extends SSLServerSocket
+private final SSLContextImpl        sslContext;
-{
+private final SSLConfiguration      sslConfig;
-private SSLContextImpl      sslContext;
+SSLServerSocketImpl(SSLContextImpl sslContext) throws IOException {
-/* Do newly accepted connections require clients to authenticate? */
-private ClientAuthType    clientAuthType = ClientAuthType.CLIENT_AUTH_NONE;
+super();
+this.sslContext = sslContext;
-/* Do new connections created here use the "server" mode of SSL? */
+this.sslConfig = new SSLConfiguration(sslContext, false);
-private boolean             useServerMode = true;
+this.sslConfig.isClientMode = false;
+}
-/* Can new connections created establish new sessions? */
-private boolean             enableSessionCreation = true;
+SSLServerSocketImpl(SSLContextImpl sslContext,
+int port, int backlog) throws IOException {
-/* what cipher suites to use by default */
-private CipherSuiteList     enabledCipherSuites = null;
-/* which protocol to use by default */
-private ProtocolList        enabledProtocols = null;
-// the endpoint identification protocol to use by default
-private String              identificationProtocol = null;
-// The cryptographic algorithm constraints
-private AlgorithmConstraints    algorithmConstraints = null;
-// The server name indication
-Collection<SNIMatcher>      sniMatchers =
-Collections.<SNIMatcher>emptyList();
-// Configured application protocol values
-String[] applicationProtocols = new String[0];
-/*
-* Whether local cipher suites preference in server side should be
-* honored during handshaking?
-*/
-private boolean             preferLocalCipherSuites = false;
-/**
-* Create an SSL server socket on a port, using a non-default
-* authentication context and a specified connection backlog.
-*
-* @param port the port on which to listen
-* @param backlog how many connections may be pending before
-*          the system should start rejecting new requests
-* @param context authentication context for this server
-*/
-SSLServerSocketImpl(int port, int backlog, SSLContextImpl context)
-throws IOException, SSLException
-{
 super(port, backlog);
-initServer(context);
+this.sslContext = sslContext;
-}
+this.sslConfig = new SSLConfiguration(sslContext, false);
+this.sslConfig.isClientMode = false;
+}
-/**
-* Create an SSL server socket on a port, using a specified
+SSLServerSocketImpl(SSLContextImpl sslContext,
-* authentication context and a specified backlog of connections
+int port, int backlog, InetAddress address) throws IOException {
-* as well as a particular specified network interface.  This
-* constructor is used on multihomed hosts, such as those used
-* for firewalls or as routers, to control through which interface
-* a network service is provided.
-*
-* @param port the port on which to listen
-* @param backlog how many connections may be pending before
-*          the system should start rejecting new requests
-* @param address the address of the network interface through
-*          which connections will be accepted
-* @param context authentication context for this server
-*/
-SSLServerSocketImpl(
-int             port,
-int             backlog,
-InetAddress     address,
-SSLContextImpl  context)
-throws IOException
-{
 super(port, backlog, address);
-initServer(context);
+this.sslContext = sslContext;
-}
+this.sslConfig = new SSLConfiguration(sslContext, false);
+this.sslConfig.isClientMode = false;
+}
-/**
-* Creates an unbound server socket.
+@Override
-*/
+public synchronized String[] getEnabledCipherSuites() {
-SSLServerSocketImpl(SSLContextImpl context) throws IOException {
+return CipherSuite.namesOf(sslConfig.enabledCipherSuites);
-super();
+}
-initServer(context);
-}
+@Override
+public synchronized void setEnabledCipherSuites(String[] suites) {
+if (suites == null) {
-/**
+throw new IllegalArgumentException("CipherSuites cannot be null");
-* Initializes the server socket.
-*/
-private void initServer(SSLContextImpl context) throws SSLException {
-if (context == null) {
-throw new SSLException("No Authentication context given");
 }
-sslContext = context;
-enabledCipherSuites = sslContext.getDefaultCipherSuiteList(true);
+sslConfig.enabledCipherSuites =
-enabledProtocols = sslContext.getDefaultProtocolList(true);
+CipherSuite.validValuesOf(suites);
 }
-/**
-* Returns the names of the cipher suites which could be enabled for use
-* on an SSL connection.  Normally, only a subset of these will actually
-* be enabled by default, since this list may include cipher suites which
-* do not support the mutual authentication of servers and clients, or
-* which do not protect data confidentiality.  Servers may also need
-* certain kinds of certificates to use certain cipher suites.
-*
-* @return an array of cipher suite names
-*/
 @Override
 public String[] getSupportedCipherSuites() {
-return sslContext.getSupportedCipherSuiteList().toStringArray();
+return CipherSuite.namesOf(sslContext.getSupportedCipherSuites());
-}
-/**
-* Returns the list of cipher suites which are currently enabled
-* for use by newly accepted connections.  A null return indicates
-* that the system defaults are in effect.
-*/
-@Override
-public synchronized String[] getEnabledCipherSuites() {
-return enabledCipherSuites.toStringArray();
-}
-/**
-* Controls which particular SSL cipher suites are enabled for use
-* by accepted connections.
-*
-* @param suites Names of all the cipher suites to enable; null
-*  means to accept system defaults.
-*/
-@Override
-public synchronized void setEnabledCipherSuites(String[] suites) {
-enabledCipherSuites = new CipherSuiteList(suites);
 }
 @Override
 public String[] getSupportedProtocols() {
-return sslContext.getSuportedProtocolList().toStringArray();
+return ProtocolVersion.toStringArray(
-}
+sslContext.getSuportedProtocolVersions());
+}
-/**
-* Controls which protocols are enabled for use.
+@Override
-* The protocols must have been listed by
+public synchronized String[] getEnabledProtocols() {
-* getSupportedProtocols() as being supported.
+return ProtocolVersion.toStringArray(sslConfig.enabledProtocols);
-*
+}
-* @param protocols protocols to enable.
-* @exception IllegalArgumentException when one of the protocols
-*  named by the parameter is not supported.
-*/
 @Override
 public synchronized void setEnabledProtocols(String[] protocols) {
-enabledProtocols = new ProtocolList(protocols);
+if (protocols == null) {
-}
+throw new IllegalArgumentException("Protocols cannot be null");
+}
-@Override
-public synchronized String[] getEnabledProtocols() {
+sslConfig.enabledProtocols = ProtocolVersion.namesOf(protocols);
-return enabledProtocols.toStringArray();
+}
-}
+@Override
-/**
+public synchronized void setNeedClientAuth(boolean need) {
-* Controls whether the connections which are accepted must include
+sslConfig.clientAuthType =
-* client authentication.
+(need ? ClientAuthType.CLIENT_AUTH_REQUIRED :
-*/
+ClientAuthType.CLIENT_AUTH_NONE);
-@Override
+}
-public void setNeedClientAuth(boolean flag) {
-clientAuthType = (flag ? ClientAuthType.CLIENT_AUTH_REQUIRED :
+@Override
-ClientAuthType.CLIENT_AUTH_NONE);
+public synchronized boolean getNeedClientAuth() {
-}
+return (sslConfig.clientAuthType ==
+ClientAuthType.CLIENT_AUTH_REQUIRED);
-@Override
+}
-public boolean getNeedClientAuth() {
-return (clientAuthType == ClientAuthType.CLIENT_AUTH_REQUIRED);
+@Override
-}
+public synchronized void setWantClientAuth(boolean want) {
+sslConfig.clientAuthType =
-/**
+(want ? ClientAuthType.CLIENT_AUTH_REQUESTED :
-* Controls whether the connections which are accepted should request
+ClientAuthType.CLIENT_AUTH_NONE);
-* client authentication.
+}
-*/
 @Override
-public void setWantClientAuth(boolean flag) {
+public synchronized boolean getWantClientAuth() {
-clientAuthType = (flag ? ClientAuthType.CLIENT_AUTH_REQUESTED :
+return (sslConfig.clientAuthType ==
-ClientAuthType.CLIENT_AUTH_NONE);
+ClientAuthType.CLIENT_AUTH_REQUESTED);
 }
 @Override
-public boolean getWantClientAuth() {
+public synchronized void setUseClientMode(boolean useClientMode) {
-return (clientAuthType == ClientAuthType.CLIENT_AUTH_REQUESTED);
-}
-/**
-* Makes the returned sockets act in SSL "client" mode, not the usual
-* server mode.  The canonical example of why this is needed is for
-* FTP clients, which accept connections from servers and should be
-* rejoining the already-negotiated SSL connection.
-*/
-@Override
-public void setUseClientMode(boolean flag) {
 /*
-* If we need to change the socket mode and the enabled
+* If we need to change the client mode and the enabled
-* protocols haven't specifically been set by the user,
+* protocols and cipher suites haven't specifically been
-* change them to the corresponding default ones.
+* set by the user, change them to the corresponding
+* default ones.
 */
-if (useServerMode != (!flag) &&
+if (sslConfig.isClientMode != useClientMode) {
-sslContext.isDefaultProtocolList(enabledProtocols)) {
+if (sslContext.isDefaultProtocolVesions(
-enabledProtocols = sslContext.getDefaultProtocolList(!flag);
+sslConfig.enabledProtocols)) {
+sslConfig.enabledProtocols =
+sslContext.getDefaultProtocolVersions(!useClientMode);
+}
+if (sslContext.isDefaultCipherSuiteList(
+sslConfig.enabledCipherSuites)) {
+sslConfig.enabledCipherSuites =
+sslContext.getDefaultCipherSuites(!useClientMode);
+}
+sslConfig.isClientMode = useClientMode;
 }
+}
-useServerMode = !flag;
-}
+@Override
+public synchronized boolean getUseClientMode() {
-@Override
+return sslConfig.isClientMode;
-public boolean getUseClientMode() {
+}
-return !useServerMode;
-}
+@Override
+public synchronized void setEnableSessionCreation(boolean flag) {
+sslConfig.enableSessionCreation = flag;
-/**
+}
-* Controls whether new connections may cause creation of new SSL
-* sessions.
+@Override
-*/
+public synchronized boolean getEnableSessionCreation() {
-@Override
+return sslConfig.enableSessionCreation;
-public void setEnableSessionCreation(boolean flag) {
+}
-enableSessionCreation = flag;
-}
-/**
-* Returns true if new connections may cause creation of new SSL
-* sessions.
-*/
-@Override
-public boolean getEnableSessionCreation() {
-return enableSessionCreation;
-}
-/**
-* Returns the SSLParameters in effect for newly accepted connections.
-*/
 @Override
 public synchronized SSLParameters getSSLParameters() {
-SSLParameters params = super.getSSLParameters();
+return sslConfig.getSSLParameters();
+}
-// the super implementation does not handle the following parameters
-params.setEndpointIdentificationAlgorithm(identificationProtocol);
-params.setAlgorithmConstraints(algorithmConstraints);
-params.setSNIMatchers(sniMatchers);
-params.setUseCipherSuitesOrder(preferLocalCipherSuites);
-params.setApplicationProtocols(applicationProtocols);
-return params;
-}
-/**
-* Applies SSLParameters to newly accepted connections.
-*/
 @Override
 public synchronized void setSSLParameters(SSLParameters params) {
-super.setSSLParameters(params);
+sslConfig.setSSLParameters(params);
+}
-// the super implementation does not handle the following parameters
-identificationProtocol = params.getEndpointIdentificationAlgorithm();
-algorithmConstraints = params.getAlgorithmConstraints();
-preferLocalCipherSuites = params.getUseCipherSuitesOrder();
-Collection<SNIMatcher> matchers = params.getSNIMatchers();
-if (matchers != null) {
-sniMatchers = params.getSNIMatchers();
-}
-applicationProtocols = params.getApplicationProtocols();
-}
-/**
-* Accept a new SSL connection.  This server identifies itself with
-* information provided in the authentication context which was
-* presented during construction.
-*/
 @Override
 public Socket accept() throws IOException {
-SSLSocketImpl s = new SSLSocketImpl(sslContext, useServerMode,
+SSLSocketImpl s = new SSLSocketImpl(sslContext, sslConfig);
-enabledCipherSuites, clientAuthType, enableSessionCreation,
-enabledProtocols, identificationProtocol, algorithmConstraints,
-sniMatchers, preferLocalCipherSuites, applicationProtocols);
 implAccept(s);
 s.doneConnect();
 return s;
 }
-/**
-* Provides a brief description of this SSL socket.
-*/
 @Override
 public String toString() {
 return "[SSL: "+ super.toString() + "]";
 }
 }

branch	JDK-8145252-TLS13-branch
changeset 56542	56aaa6cb3693
parent 47216	71c04702a3d5
child 56611	f8f7e604e1f8