8207009: TLS 1.3 half-close and synchronization issues
Reviewed-by: jnimeh, mullan, wetmore
This commit is contained in:
parent
a83af4505e
commit
66e8f27bd8
@ -118,7 +118,8 @@ public final class SunJCE extends Provider {
|
|||||||
final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING";
|
final String BLOCK_PADS = "NOPADDING|PKCS5PADDING|ISO10126PADDING";
|
||||||
|
|
||||||
AccessController.doPrivileged(
|
AccessController.doPrivileged(
|
||||||
new java.security.PrivilegedAction<>() {
|
new java.security.PrivilegedAction<Object>() {
|
||||||
|
@Override
|
||||||
public Object run() {
|
public Object run() {
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
|
* Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
*
|
*
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
@ -145,7 +145,7 @@ import java.util.function.BiFunction;
|
|||||||
* application messages are encrypted and integrity protected,
|
* application messages are encrypted and integrity protected,
|
||||||
* and inbound messages reverse the process.
|
* and inbound messages reverse the process.
|
||||||
*
|
*
|
||||||
* <li> Rehandshaking - Either side may request a renegotiation of
|
* <li> Rehandshaking - Either side may request a renegotiation of
|
||||||
* the session at any time during the Application Data phase. New
|
* the session at any time during the Application Data phase. New
|
||||||
* handshaking data can be intermixed among the application data.
|
* handshaking data can be intermixed among the application data.
|
||||||
* Before starting the rehandshake phase, the application may
|
* Before starting the rehandshake phase, the application may
|
||||||
@ -156,12 +156,20 @@ import java.util.function.BiFunction;
|
|||||||
* configuration settings will not be used until the next
|
* configuration settings will not be used until the next
|
||||||
* handshake.
|
* handshake.
|
||||||
*
|
*
|
||||||
* <li> Closure - When the connection is no longer needed, the
|
* <li> Closure - When the connection is no longer needed, the client
|
||||||
* application should close the {@code SSLEngine} and should
|
* and the server applications should each close both sides of their
|
||||||
* send/receive any remaining messages to the peer before
|
* respective connections. For {@code SSLEngine} objects, an
|
||||||
* closing the underlying transport mechanism. Once an engine is
|
* application should call {@link SSLEngine#closeOutbound()} and
|
||||||
* closed, it is not reusable: a new {@code SSLEngine} must
|
* send any remaining messages to the peer. Likewise, an application
|
||||||
* be created.
|
* should receive any remaining messages from the peer before calling
|
||||||
|
* {@link SSLEngine#closeInbound()}. The underlying transport mechanism
|
||||||
|
* can then be closed after both sides of the {@code SSLEngine} have
|
||||||
|
* been closed. If the connection is not closed in an orderly manner
|
||||||
|
* (for example {@link SSLEngine#closeInbound()} is called before the
|
||||||
|
* peer's write closure notification has been received), exceptions
|
||||||
|
* will be raised to indicate that an error has occurred. Once an
|
||||||
|
* engine is closed, it is not reusable: a new {@code SSLEngine}
|
||||||
|
* must be created.
|
||||||
* </OL>
|
* </OL>
|
||||||
* An {@code SSLEngine} is created by calling {@link
|
* An {@code SSLEngine} is created by calling {@link
|
||||||
* SSLContext#createSSLEngine()} from an initialized
|
* SSLContext#createSSLEngine()} from an initialized
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
|
* Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
*
|
*
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
@ -130,6 +130,21 @@ import java.util.function.BiFunction;
|
|||||||
* socket can not switch between client and server modes, even when
|
* socket can not switch between client and server modes, even when
|
||||||
* performing renegotiations.
|
* performing renegotiations.
|
||||||
*
|
*
|
||||||
|
* @apiNote
|
||||||
|
* When the connection is no longer needed, the client and server
|
||||||
|
* applications should each close both sides of their respective connection.
|
||||||
|
* For {@code SSLSocket} objects, for example, an application can call
|
||||||
|
* {@link Socket#shutdownOutput()} or {@link java.io.OutputStream#close()}
|
||||||
|
* for output strean close and call {@link Socket#shutdownInput()} or
|
||||||
|
* {@link java.io.InputStream#close()} for input stream close. Note that
|
||||||
|
* in some cases, closing the input stream may depend on the peer's output
|
||||||
|
* stream being closed first. If the connection is not closed in an orderly
|
||||||
|
* manner (for example {@link Socket#shutdownInput()} is called before the
|
||||||
|
* peer's write closure notification has been received), exceptions may
|
||||||
|
* be raised to indicate that an error has occurred. Once an
|
||||||
|
* {@code SSLSocket} is closed, it is not reusable: a new {@code SSLSocket}
|
||||||
|
* must be created.
|
||||||
|
*
|
||||||
* @see java.net.Socket
|
* @see java.net.Socket
|
||||||
* @see SSLServerSocket
|
* @see SSLServerSocket
|
||||||
* @see SSLSocketFactory
|
* @see SSLSocketFactory
|
||||||
|
@ -235,13 +235,22 @@ enum Alert {
|
|||||||
Level level = Level.valueOf(am.level);
|
Level level = Level.valueOf(am.level);
|
||||||
Alert alert = Alert.valueOf(am.id);
|
Alert alert = Alert.valueOf(am.id);
|
||||||
if (alert == Alert.CLOSE_NOTIFY) {
|
if (alert == Alert.CLOSE_NOTIFY) {
|
||||||
if (tc.handshakeContext != null) {
|
tc.isInputCloseNotified = true;
|
||||||
|
tc.closeInbound();
|
||||||
|
|
||||||
|
if (tc.peerUserCanceled) {
|
||||||
|
tc.closeOutbound();
|
||||||
|
} else if (tc.handshakeContext != null) {
|
||||||
tc.fatal(Alert.UNEXPECTED_MESSAGE,
|
tc.fatal(Alert.UNEXPECTED_MESSAGE,
|
||||||
"Received close_notify during handshake");
|
"Received close_notify during handshake");
|
||||||
}
|
}
|
||||||
|
} else if (alert == Alert.USER_CANCELED) {
|
||||||
tc.isInputCloseNotified = true;
|
if (level == Level.WARNING) {
|
||||||
tc.closeInbound();
|
tc.peerUserCanceled = true;
|
||||||
|
} else {
|
||||||
|
tc.fatal(alert,
|
||||||
|
"Received fatal close_notify alert", true, null);
|
||||||
|
}
|
||||||
} else if ((level == Level.WARNING) && (alert != null)) {
|
} else if ((level == Level.WARNING) && (alert != null)) {
|
||||||
// Terminate the connection if an alert with a level of warning
|
// Terminate the connection if an alert with a level of warning
|
||||||
// is received during handshaking, except the no_certificate
|
// is received during handshaking, except the no_certificate
|
||||||
|
@ -204,30 +204,35 @@ abstract class BaseSSLSocketImpl extends SSLSocket {
|
|||||||
//
|
//
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The semantics of shutdownInput is not supported in TLS 1.0
|
* Places the input stream for this socket at "end of stream". Any data
|
||||||
* spec. Thus when the method is called on an SSL socket, an
|
* sent to the input stream side of the socket is acknowledged and then
|
||||||
* UnsupportedOperationException will be thrown.
|
* silently discarded.
|
||||||
*
|
*
|
||||||
* @throws UnsupportedOperationException
|
* @see java.net.Socket#shutdownInput
|
||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public final void shutdownInput() throws IOException {
|
public void shutdownInput() throws IOException {
|
||||||
throw new UnsupportedOperationException("The method shutdownInput()" +
|
if (self == this) {
|
||||||
" is not supported in SSLSocket");
|
super.shutdownInput();
|
||||||
|
} else {
|
||||||
|
self.shutdownInput();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The semantics of shutdownOutput is not supported in TLS 1.0
|
* Disables the output stream for this socket. For a TCP socket, any
|
||||||
* spec. Thus when the method is called on an SSL socket, an
|
* previously written data will be sent followed by TCP's normal
|
||||||
* UnsupportedOperationException will be thrown.
|
* connection termination sequence.
|
||||||
*
|
*
|
||||||
* @throws UnsupportedOperationException
|
* @see java.net.Socket#shutdownOutput
|
||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public final void shutdownOutput() throws IOException {
|
public void shutdownOutput() throws IOException {
|
||||||
throw new UnsupportedOperationException("The method shutdownOutput()" +
|
if (self == this) {
|
||||||
" is not supported in SSLSocket");
|
super.shutdownOutput();
|
||||||
|
} else {
|
||||||
|
self.shutdownOutput();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -235,7 +240,7 @@ abstract class BaseSSLSocketImpl extends SSLSocket {
|
|||||||
* @see java.net.Socket#isInputShutdown
|
* @see java.net.Socket#isInputShutdown
|
||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public final boolean isInputShutdown() {
|
public boolean isInputShutdown() {
|
||||||
if (self == this) {
|
if (self == this) {
|
||||||
return super.isInputShutdown();
|
return super.isInputShutdown();
|
||||||
} else {
|
} else {
|
||||||
@ -248,7 +253,7 @@ abstract class BaseSSLSocketImpl extends SSLSocket {
|
|||||||
* @see java.net.Socket#isOutputShutdown
|
* @see java.net.Socket#isOutputShutdown
|
||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public final boolean isOutputShutdown() {
|
public boolean isOutputShutdown() {
|
||||||
if (self == this) {
|
if (self == this) {
|
||||||
return super.isOutputShutdown();
|
return super.isOutputShutdown();
|
||||||
} else {
|
} else {
|
||||||
@ -618,7 +623,7 @@ abstract class BaseSSLSocketImpl extends SSLSocket {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public synchronized void close() throws IOException {
|
public void close() throws IOException {
|
||||||
if (self == this) {
|
if (self == this) {
|
||||||
super.close();
|
super.close();
|
||||||
} else {
|
} else {
|
||||||
|
@ -805,7 +805,7 @@ enum CipherSuite {
|
|||||||
this.id = id;
|
this.id = id;
|
||||||
this.isDefaultEnabled = isDefaultEnabled;
|
this.isDefaultEnabled = isDefaultEnabled;
|
||||||
this.name = name;
|
this.name = name;
|
||||||
if (aliases.isEmpty()) {
|
if (!aliases.isEmpty()) {
|
||||||
this.aliases = Arrays.asList(aliases.split(","));
|
this.aliases = Arrays.asList(aliases.split(","));
|
||||||
} else {
|
} else {
|
||||||
this.aliases = Collections.emptyList();
|
this.aliases = Collections.emptyList();
|
||||||
|
@ -44,7 +44,7 @@ final class DTLSOutputRecord extends OutputRecord implements DTLSRecord {
|
|||||||
Authenticator prevWriteAuthenticator;
|
Authenticator prevWriteAuthenticator;
|
||||||
SSLWriteCipher prevWriteCipher;
|
SSLWriteCipher prevWriteCipher;
|
||||||
|
|
||||||
private final LinkedList<RecordMemo> alertMemos = new LinkedList<>();
|
private volatile boolean isCloseWaiting = false;
|
||||||
|
|
||||||
DTLSOutputRecord(HandshakeHash handshakeHash) {
|
DTLSOutputRecord(HandshakeHash handshakeHash) {
|
||||||
super(handshakeHash, SSLWriteCipher.nullDTlsWriteCipher());
|
super(handshakeHash, SSLWriteCipher.nullDTlsWriteCipher());
|
||||||
@ -57,6 +57,21 @@ final class DTLSOutputRecord extends OutputRecord implements DTLSRecord {
|
|||||||
this.protocolVersion = ProtocolVersion.NONE;
|
this.protocolVersion = ProtocolVersion.NONE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public synchronized void close() throws IOException {
|
||||||
|
if (!isClosed) {
|
||||||
|
if (fragmenter != null && fragmenter.hasAlert()) {
|
||||||
|
isCloseWaiting = true;
|
||||||
|
} else {
|
||||||
|
super.close();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
boolean isClosed() {
|
||||||
|
return isClosed || isCloseWaiting;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
void initHandshaker() {
|
void initHandshaker() {
|
||||||
// clean up
|
// clean up
|
||||||
@ -71,6 +86,14 @@ final class DTLSOutputRecord extends OutputRecord implements DTLSRecord {
|
|||||||
@Override
|
@Override
|
||||||
void changeWriteCiphers(SSLWriteCipher writeCipher,
|
void changeWriteCiphers(SSLWriteCipher writeCipher,
|
||||||
boolean useChangeCipherSpec) throws IOException {
|
boolean useChangeCipherSpec) throws IOException {
|
||||||
|
if (isClosed()) {
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.warning("outbound has closed, ignore outbound " +
|
||||||
|
"change_cipher_spec message");
|
||||||
|
}
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
if (useChangeCipherSpec) {
|
if (useChangeCipherSpec) {
|
||||||
encodeChangeCipherSpec();
|
encodeChangeCipherSpec();
|
||||||
}
|
}
|
||||||
@ -91,23 +114,31 @@ final class DTLSOutputRecord extends OutputRecord implements DTLSRecord {
|
|||||||
|
|
||||||
@Override
|
@Override
|
||||||
void encodeAlert(byte level, byte description) throws IOException {
|
void encodeAlert(byte level, byte description) throws IOException {
|
||||||
RecordMemo memo = new RecordMemo();
|
if (isClosed()) {
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.warning("outbound has closed, ignore outbound " +
|
||||||
|
"alert message: " + Alert.nameOf(description));
|
||||||
|
}
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
memo.contentType = ContentType.ALERT.id;
|
if (fragmenter == null) {
|
||||||
memo.majorVersion = protocolVersion.major;
|
fragmenter = new DTLSFragmenter();
|
||||||
memo.minorVersion = protocolVersion.minor;
|
}
|
||||||
memo.encodeEpoch = writeEpoch;
|
|
||||||
memo.encodeCipher = writeCipher;
|
|
||||||
|
|
||||||
memo.fragment = new byte[2];
|
fragmenter.queueUpAlert(level, description);
|
||||||
memo.fragment[0] = level;
|
|
||||||
memo.fragment[1] = description;
|
|
||||||
|
|
||||||
alertMemos.add(memo);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
void encodeChangeCipherSpec() throws IOException {
|
void encodeChangeCipherSpec() throws IOException {
|
||||||
|
if (isClosed()) {
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.warning("outbound has closed, ignore outbound " +
|
||||||
|
"change_cipher_spec message");
|
||||||
|
}
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
if (fragmenter == null) {
|
if (fragmenter == null) {
|
||||||
fragmenter = new DTLSFragmenter();
|
fragmenter = new DTLSFragmenter();
|
||||||
}
|
}
|
||||||
@ -117,6 +148,15 @@ final class DTLSOutputRecord extends OutputRecord implements DTLSRecord {
|
|||||||
@Override
|
@Override
|
||||||
void encodeHandshake(byte[] source,
|
void encodeHandshake(byte[] source,
|
||||||
int offset, int length) throws IOException {
|
int offset, int length) throws IOException {
|
||||||
|
if (isClosed()) {
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.warning("outbound has closed, ignore outbound " +
|
||||||
|
"handshake message",
|
||||||
|
ByteBuffer.wrap(source, offset, length));
|
||||||
|
}
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
if (firstMessage) {
|
if (firstMessage) {
|
||||||
firstMessage = false;
|
firstMessage = false;
|
||||||
}
|
}
|
||||||
@ -132,6 +172,23 @@ final class DTLSOutputRecord extends OutputRecord implements DTLSRecord {
|
|||||||
Ciphertext encode(
|
Ciphertext encode(
|
||||||
ByteBuffer[] srcs, int srcsOffset, int srcsLength,
|
ByteBuffer[] srcs, int srcsOffset, int srcsLength,
|
||||||
ByteBuffer[] dsts, int dstsOffset, int dstsLength) throws IOException {
|
ByteBuffer[] dsts, int dstsOffset, int dstsLength) throws IOException {
|
||||||
|
|
||||||
|
if (isClosed) {
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.warning("outbound has closed, ignore outbound " +
|
||||||
|
"application data or cached messages");
|
||||||
|
}
|
||||||
|
|
||||||
|
return null;
|
||||||
|
} else if (isCloseWaiting) {
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.warning("outbound has closed, ignore outbound " +
|
||||||
|
"application data");
|
||||||
|
}
|
||||||
|
|
||||||
|
srcs = null; // use no application data.
|
||||||
|
}
|
||||||
|
|
||||||
return encode(srcs, srcsOffset, srcsLength, dsts[0]);
|
return encode(srcs, srcsOffset, srcsLength, dsts[0]);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -237,48 +294,6 @@ final class DTLSOutputRecord extends OutputRecord implements DTLSRecord {
|
|||||||
|
|
||||||
private Ciphertext acquireCiphertext(
|
private Ciphertext acquireCiphertext(
|
||||||
ByteBuffer destination) throws IOException {
|
ByteBuffer destination) throws IOException {
|
||||||
if (alertMemos != null && !alertMemos.isEmpty()) {
|
|
||||||
RecordMemo memo = alertMemos.pop();
|
|
||||||
|
|
||||||
int dstPos = destination.position();
|
|
||||||
int dstLim = destination.limit();
|
|
||||||
int dstContent = dstPos + headerSize +
|
|
||||||
writeCipher.getExplicitNonceSize();
|
|
||||||
destination.position(dstContent);
|
|
||||||
|
|
||||||
destination.put(memo.fragment);
|
|
||||||
|
|
||||||
destination.limit(destination.position());
|
|
||||||
destination.position(dstContent);
|
|
||||||
|
|
||||||
if (SSLLogger.isOn && SSLLogger.isOn("record")) {
|
|
||||||
SSLLogger.fine(
|
|
||||||
"WRITE: " + protocolVersion + " " +
|
|
||||||
ContentType.ALERT.name +
|
|
||||||
", length = " + destination.remaining());
|
|
||||||
}
|
|
||||||
|
|
||||||
// Encrypt the fragment and wrap up a record.
|
|
||||||
long recordSN = encrypt(memo.encodeCipher,
|
|
||||||
ContentType.ALERT.id,
|
|
||||||
destination, dstPos, dstLim, headerSize,
|
|
||||||
ProtocolVersion.valueOf(memo.majorVersion,
|
|
||||||
memo.minorVersion));
|
|
||||||
|
|
||||||
if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
|
|
||||||
ByteBuffer temporary = destination.duplicate();
|
|
||||||
temporary.limit(temporary.position());
|
|
||||||
temporary.position(dstPos);
|
|
||||||
SSLLogger.fine("Raw write", temporary);
|
|
||||||
}
|
|
||||||
|
|
||||||
// remain the limit unchanged
|
|
||||||
destination.limit(dstLim);
|
|
||||||
|
|
||||||
return new Ciphertext(ContentType.ALERT.id,
|
|
||||||
SSLHandshake.NOT_APPLICABLE.id, recordSN);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (fragmenter != null) {
|
if (fragmenter != null) {
|
||||||
return fragmenter.acquireCiphertext(destination);
|
return fragmenter.acquireCiphertext(destination);
|
||||||
}
|
}
|
||||||
@ -288,16 +303,14 @@ final class DTLSOutputRecord extends OutputRecord implements DTLSRecord {
|
|||||||
|
|
||||||
@Override
|
@Override
|
||||||
boolean isEmpty() {
|
boolean isEmpty() {
|
||||||
return ((fragmenter == null) || fragmenter.isEmpty()) &&
|
return (fragmenter == null) || fragmenter.isEmpty();
|
||||||
((alertMemos == null) || alertMemos.isEmpty());
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
void launchRetransmission() {
|
void launchRetransmission() {
|
||||||
// Note: Please don't retransmit if there are handshake messages
|
// Note: Please don't retransmit if there are handshake messages
|
||||||
// or alerts waiting in the queue.
|
// or alerts waiting in the queue.
|
||||||
if (((alertMemos == null) || alertMemos.isEmpty()) &&
|
if ((fragmenter != null) && fragmenter.isRetransmittable()) {
|
||||||
(fragmenter != null) && fragmenter.isRetransmittable()) {
|
|
||||||
fragmenter.setRetransmission();
|
fragmenter.setRetransmission();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -338,29 +351,6 @@ final class DTLSOutputRecord extends OutputRecord implements DTLSRecord {
|
|||||||
// size is bigger than 256 bytes.
|
// size is bigger than 256 bytes.
|
||||||
private int retransmits = 2; // attemps of retransmits
|
private int retransmits = 2; // attemps of retransmits
|
||||||
|
|
||||||
void queueUpChangeCipherSpec() {
|
|
||||||
|
|
||||||
// Cleanup if a new flight starts.
|
|
||||||
if (flightIsReady) {
|
|
||||||
handshakeMemos.clear();
|
|
||||||
acquireIndex = 0;
|
|
||||||
flightIsReady = false;
|
|
||||||
}
|
|
||||||
|
|
||||||
RecordMemo memo = new RecordMemo();
|
|
||||||
|
|
||||||
memo.contentType = ContentType.CHANGE_CIPHER_SPEC.id;
|
|
||||||
memo.majorVersion = protocolVersion.major;
|
|
||||||
memo.minorVersion = protocolVersion.minor;
|
|
||||||
memo.encodeEpoch = writeEpoch;
|
|
||||||
memo.encodeCipher = writeCipher;
|
|
||||||
|
|
||||||
memo.fragment = new byte[1];
|
|
||||||
memo.fragment[0] = 1;
|
|
||||||
|
|
||||||
handshakeMemos.add(memo);
|
|
||||||
}
|
|
||||||
|
|
||||||
void queueUpHandshake(byte[] buf,
|
void queueUpHandshake(byte[] buf,
|
||||||
int offset, int length) throws IOException {
|
int offset, int length) throws IOException {
|
||||||
|
|
||||||
@ -401,6 +391,45 @@ final class DTLSOutputRecord extends OutputRecord implements DTLSRecord {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void queueUpChangeCipherSpec() {
|
||||||
|
|
||||||
|
// Cleanup if a new flight starts.
|
||||||
|
if (flightIsReady) {
|
||||||
|
handshakeMemos.clear();
|
||||||
|
acquireIndex = 0;
|
||||||
|
flightIsReady = false;
|
||||||
|
}
|
||||||
|
|
||||||
|
RecordMemo memo = new RecordMemo();
|
||||||
|
|
||||||
|
memo.contentType = ContentType.CHANGE_CIPHER_SPEC.id;
|
||||||
|
memo.majorVersion = protocolVersion.major;
|
||||||
|
memo.minorVersion = protocolVersion.minor;
|
||||||
|
memo.encodeEpoch = writeEpoch;
|
||||||
|
memo.encodeCipher = writeCipher;
|
||||||
|
|
||||||
|
memo.fragment = new byte[1];
|
||||||
|
memo.fragment[0] = 1;
|
||||||
|
|
||||||
|
handshakeMemos.add(memo);
|
||||||
|
}
|
||||||
|
|
||||||
|
void queueUpAlert(byte level, byte description) throws IOException {
|
||||||
|
RecordMemo memo = new RecordMemo();
|
||||||
|
|
||||||
|
memo.contentType = ContentType.ALERT.id;
|
||||||
|
memo.majorVersion = protocolVersion.major;
|
||||||
|
memo.minorVersion = protocolVersion.minor;
|
||||||
|
memo.encodeEpoch = writeEpoch;
|
||||||
|
memo.encodeCipher = writeCipher;
|
||||||
|
|
||||||
|
memo.fragment = new byte[2];
|
||||||
|
memo.fragment[0] = level;
|
||||||
|
memo.fragment[1] = description;
|
||||||
|
|
||||||
|
handshakeMemos.add(memo);
|
||||||
|
}
|
||||||
|
|
||||||
Ciphertext acquireCiphertext(ByteBuffer dstBuf) throws IOException {
|
Ciphertext acquireCiphertext(ByteBuffer dstBuf) throws IOException {
|
||||||
if (isEmpty()) {
|
if (isEmpty()) {
|
||||||
if (isRetransmittable()) {
|
if (isRetransmittable()) {
|
||||||
@ -500,8 +529,13 @@ final class DTLSOutputRecord extends OutputRecord implements DTLSRecord {
|
|||||||
return new Ciphertext(hsMemo.contentType,
|
return new Ciphertext(hsMemo.contentType,
|
||||||
hsMemo.handshakeType, recordSN);
|
hsMemo.handshakeType, recordSN);
|
||||||
} else {
|
} else {
|
||||||
|
if (isCloseWaiting &&
|
||||||
|
memo.contentType == ContentType.ALERT.id) {
|
||||||
|
close();
|
||||||
|
}
|
||||||
|
|
||||||
acquireIndex++;
|
acquireIndex++;
|
||||||
return new Ciphertext(ContentType.CHANGE_CIPHER_SPEC.id,
|
return new Ciphertext(memo.contentType,
|
||||||
SSLHandshake.NOT_APPLICABLE.id, recordSN);
|
SSLHandshake.NOT_APPLICABLE.id, recordSN);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -552,6 +586,16 @@ final class DTLSOutputRecord extends OutputRecord implements DTLSRecord {
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
boolean hasAlert() {
|
||||||
|
for (RecordMemo memo : handshakeMemos) {
|
||||||
|
if (memo.contentType == ContentType.ALERT.id) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
boolean isRetransmittable() {
|
boolean isRetransmittable() {
|
||||||
return (flightIsReady && !handshakeMemos.isEmpty() &&
|
return (flightIsReady && !handshakeMemos.isEmpty() &&
|
||||||
(acquireIndex >= handshakeMemos.size()));
|
(acquireIndex >= handshakeMemos.size()));
|
||||||
|
@ -47,7 +47,6 @@ import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
|
|||||||
import sun.security.ssl.SupportedGroupsExtension.NamedGroupType;
|
import sun.security.ssl.SupportedGroupsExtension.NamedGroupType;
|
||||||
import static sun.security.ssl.SupportedGroupsExtension.NamedGroupType.*;
|
import static sun.security.ssl.SupportedGroupsExtension.NamedGroupType.*;
|
||||||
import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
|
import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
|
||||||
import sun.security.ssl.PskKeyExchangeModesExtension.PskKeyExchangeMode;
|
|
||||||
|
|
||||||
abstract class HandshakeContext implements ConnectionContext {
|
abstract class HandshakeContext implements ConnectionContext {
|
||||||
// System properties
|
// System properties
|
||||||
|
@ -27,6 +27,7 @@ package sun.security.ssl;
|
|||||||
|
|
||||||
import java.io.ByteArrayOutputStream;
|
import java.io.ByteArrayOutputStream;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
import java.nio.ByteBuffer;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Output stream for handshake data. This is used only internally
|
* Output stream for handshake data. This is used only internally
|
||||||
@ -57,7 +58,14 @@ public class HandshakeOutStream extends ByteArrayOutputStream {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (outputRecord != null) {
|
if (outputRecord != null) {
|
||||||
outputRecord.encodeHandshake(buf, 0, count);
|
if (!outputRecord.isClosed()) {
|
||||||
|
outputRecord.encodeHandshake(buf, 0, count);
|
||||||
|
} else {
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.warning("outbound has closed, ignore outbound " +
|
||||||
|
"handshake messages", ByteBuffer.wrap(buf, 0, count));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// reset the byte array output stream
|
// reset the byte array output stream
|
||||||
reset();
|
reset();
|
||||||
|
@ -223,8 +223,8 @@ final class KeyUpdate {
|
|||||||
Authenticator.valueOf(hc.conContext.protocolVersion),
|
Authenticator.valueOf(hc.conContext.protocolVersion),
|
||||||
hc.conContext.protocolVersion, key, ivSpec,
|
hc.conContext.protocolVersion, key, ivSpec,
|
||||||
hc.sslContext.getSecureRandom());
|
hc.sslContext.getSecureRandom());
|
||||||
|
rc.baseSecret = nplus1;
|
||||||
hc.conContext.inputRecord.changeReadCiphers(rc);
|
hc.conContext.inputRecord.changeReadCiphers(rc);
|
||||||
hc.conContext.inputRecord.readCipher.baseSecret = nplus1;
|
|
||||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
SSLLogger.fine("KeyUpdate: read key updated");
|
SSLLogger.fine("KeyUpdate: read key updated");
|
||||||
}
|
}
|
||||||
@ -303,13 +303,12 @@ final class KeyUpdate {
|
|||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Output the handshake message.
|
// Output the handshake message and change the write cipher.
|
||||||
km.write(hc.handshakeOutput);
|
//
|
||||||
hc.handshakeOutput.flush();
|
// The KeyUpdate handshake message SHALL be delivered in the
|
||||||
|
// changeWriteCiphers() implementation.
|
||||||
// change write cipher
|
wc.baseSecret = nplus1;
|
||||||
hc.conContext.outputRecord.changeWriteCiphers(wc, false);
|
hc.conContext.outputRecord.changeWriteCiphers(wc, km.status.id);
|
||||||
hc.conContext.outputRecord.writeCipher.baseSecret = nplus1;
|
|
||||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
SSLLogger.fine("KeyUpdate: write key updated");
|
SSLLogger.fine("KeyUpdate: write key updated");
|
||||||
}
|
}
|
||||||
|
@ -66,7 +66,7 @@ abstract class OutputRecord
|
|||||||
int fragmentSize;
|
int fragmentSize;
|
||||||
|
|
||||||
// closed or not?
|
// closed or not?
|
||||||
boolean isClosed;
|
volatile boolean isClosed;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Mappings from V3 cipher suite encodings to their pure V2 equivalents.
|
* Mappings from V3 cipher suite encodings to their pure V2 equivalents.
|
||||||
@ -76,6 +76,8 @@ abstract class OutputRecord
|
|||||||
{-1, -1, -1, 0x02, 0x01, -1, 0x04, 0x05, -1, 0x06, 0x07};
|
{-1, -1, -1, 0x02, 0x01, -1, 0x04, 0x05, -1, 0x06, 0x07};
|
||||||
private static final int[] V3toV2CipherMap3 =
|
private static final int[] V3toV2CipherMap3 =
|
||||||
{-1, -1, -1, 0x80, 0x80, -1, 0x80, 0x80, -1, 0x40, 0xC0};
|
{-1, -1, -1, 0x80, 0x80, -1, 0x80, 0x80, -1, 0x40, 0xC0};
|
||||||
|
private static final byte[] HANDSHAKE_MESSAGE_KEY_UPDATE =
|
||||||
|
{SSLHandshake.KEY_UPDATE.id, 0x00, 0x00, 0x01, 0x00};
|
||||||
|
|
||||||
OutputRecord(HandshakeHash handshakeHash, SSLWriteCipher writeCipher) {
|
OutputRecord(HandshakeHash handshakeHash, SSLWriteCipher writeCipher) {
|
||||||
this.writeCipher = writeCipher;
|
this.writeCipher = writeCipher;
|
||||||
@ -87,7 +89,7 @@ abstract class OutputRecord
|
|||||||
// Please set packetSize and protocolVersion in the implementation.
|
// Please set packetSize and protocolVersion in the implementation.
|
||||||
}
|
}
|
||||||
|
|
||||||
void setVersion(ProtocolVersion protocolVersion) {
|
synchronized void setVersion(ProtocolVersion protocolVersion) {
|
||||||
this.protocolVersion = protocolVersion;
|
this.protocolVersion = protocolVersion;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -106,7 +108,7 @@ abstract class OutputRecord
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
boolean seqNumIsHuge() {
|
synchronized boolean seqNumIsHuge() {
|
||||||
return (writeCipher.authenticator != null) &&
|
return (writeCipher.authenticator != null) &&
|
||||||
writeCipher.authenticator.seqNumIsHuge();
|
writeCipher.authenticator.seqNumIsHuge();
|
||||||
}
|
}
|
||||||
@ -145,8 +147,17 @@ abstract class OutputRecord
|
|||||||
throw new UnsupportedOperationException();
|
throw new UnsupportedOperationException();
|
||||||
}
|
}
|
||||||
|
|
||||||
void changeWriteCiphers(SSLWriteCipher writeCipher,
|
// Change write ciphers, may use change_cipher_spec record.
|
||||||
|
synchronized void changeWriteCiphers(SSLWriteCipher writeCipher,
|
||||||
boolean useChangeCipherSpec) throws IOException {
|
boolean useChangeCipherSpec) throws IOException {
|
||||||
|
if (isClosed()) {
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.warning("outbound has closed, ignore outbound " +
|
||||||
|
"change_cipher_spec message");
|
||||||
|
}
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
if (useChangeCipherSpec) {
|
if (useChangeCipherSpec) {
|
||||||
encodeChangeCipherSpec();
|
encodeChangeCipherSpec();
|
||||||
}
|
}
|
||||||
@ -165,15 +176,39 @@ abstract class OutputRecord
|
|||||||
this.isFirstAppOutputRecord = true;
|
this.isFirstAppOutputRecord = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
void changePacketSize(int packetSize) {
|
// Change write ciphers using key_update handshake message.
|
||||||
|
synchronized void changeWriteCiphers(SSLWriteCipher writeCipher,
|
||||||
|
byte keyUpdateRequest) throws IOException {
|
||||||
|
if (isClosed()) {
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.warning("outbound has closed, ignore outbound " +
|
||||||
|
"key_update handshake message");
|
||||||
|
}
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
// encode the handshake message, KeyUpdate
|
||||||
|
byte[] hm = HANDSHAKE_MESSAGE_KEY_UPDATE.clone();
|
||||||
|
hm[hm.length - 1] = keyUpdateRequest;
|
||||||
|
encodeHandshake(hm, 0, hm.length);
|
||||||
|
flush();
|
||||||
|
|
||||||
|
// Dispose of any intermediate state in the underlying cipher.
|
||||||
|
writeCipher.dispose();
|
||||||
|
|
||||||
|
this.writeCipher = writeCipher;
|
||||||
|
this.isFirstAppOutputRecord = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
synchronized void changePacketSize(int packetSize) {
|
||||||
this.packetSize = packetSize;
|
this.packetSize = packetSize;
|
||||||
}
|
}
|
||||||
|
|
||||||
void changeFragmentSize(int fragmentSize) {
|
synchronized void changeFragmentSize(int fragmentSize) {
|
||||||
this.fragmentSize = fragmentSize;
|
this.fragmentSize = fragmentSize;
|
||||||
}
|
}
|
||||||
|
|
||||||
int getMaxPacketSize() {
|
synchronized int getMaxPacketSize() {
|
||||||
return packetSize;
|
return packetSize;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -194,13 +229,15 @@ abstract class OutputRecord
|
|||||||
|
|
||||||
@Override
|
@Override
|
||||||
public synchronized void close() throws IOException {
|
public synchronized void close() throws IOException {
|
||||||
if (!isClosed) {
|
if (isClosed) {
|
||||||
isClosed = true;
|
return;
|
||||||
writeCipher.dispose();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
isClosed = true;
|
||||||
|
writeCipher.dispose();
|
||||||
}
|
}
|
||||||
|
|
||||||
synchronized boolean isClosed() {
|
boolean isClosed() {
|
||||||
return isClosed;
|
return isClosed;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -241,7 +278,7 @@ abstract class OutputRecord
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static long d13Encrypt(
|
private static long d13Encrypt(
|
||||||
SSLWriteCipher encCipher, byte contentType, ByteBuffer destination,
|
SSLWriteCipher encCipher, byte contentType, ByteBuffer destination,
|
||||||
int headerOffset, int dstLim, int headerSize,
|
int headerOffset, int dstLim, int headerSize,
|
||||||
ProtocolVersion protocolVersion) {
|
ProtocolVersion protocolVersion) {
|
||||||
@ -282,7 +319,7 @@ abstract class OutputRecord
|
|||||||
return Authenticator.toLong(sequenceNumber);
|
return Authenticator.toLong(sequenceNumber);
|
||||||
}
|
}
|
||||||
|
|
||||||
static long t13Encrypt(
|
private static long t13Encrypt(
|
||||||
SSLWriteCipher encCipher, byte contentType, ByteBuffer destination,
|
SSLWriteCipher encCipher, byte contentType, ByteBuffer destination,
|
||||||
int headerOffset, int dstLim, int headerSize,
|
int headerOffset, int dstLim, int headerSize,
|
||||||
ProtocolVersion protocolVersion) {
|
ProtocolVersion protocolVersion) {
|
||||||
@ -321,7 +358,7 @@ abstract class OutputRecord
|
|||||||
return Authenticator.toLong(sequenceNumber);
|
return Authenticator.toLong(sequenceNumber);
|
||||||
}
|
}
|
||||||
|
|
||||||
static long t10Encrypt(
|
private static long t10Encrypt(
|
||||||
SSLWriteCipher encCipher, byte contentType, ByteBuffer destination,
|
SSLWriteCipher encCipher, byte contentType, ByteBuffer destination,
|
||||||
int headerOffset, int dstLim, int headerSize,
|
int headerOffset, int dstLim, int headerSize,
|
||||||
ProtocolVersion protocolVersion) {
|
ProtocolVersion protocolVersion) {
|
||||||
@ -362,7 +399,7 @@ abstract class OutputRecord
|
|||||||
private static final byte[] zeros = new byte[16];
|
private static final byte[] zeros = new byte[16];
|
||||||
}
|
}
|
||||||
|
|
||||||
long t13Encrypt(
|
private long t13Encrypt(
|
||||||
SSLWriteCipher encCipher, byte contentType, int headerSize) {
|
SSLWriteCipher encCipher, byte contentType, int headerSize) {
|
||||||
if (!encCipher.isNullCipher()) {
|
if (!encCipher.isNullCipher()) {
|
||||||
// inner plaintext
|
// inner plaintext
|
||||||
@ -375,9 +412,10 @@ abstract class OutputRecord
|
|||||||
int contentLen = count - position;
|
int contentLen = count - position;
|
||||||
|
|
||||||
// ensure the capacity
|
// ensure the capacity
|
||||||
int packetSize = encCipher.calculatePacketSize(contentLen, headerSize);
|
int requiredPacketSize =
|
||||||
if (packetSize > buf.length) {
|
encCipher.calculatePacketSize(contentLen, headerSize);
|
||||||
byte[] newBuf = new byte[packetSize];
|
if (requiredPacketSize > buf.length) {
|
||||||
|
byte[] newBuf = new byte[requiredPacketSize];
|
||||||
System.arraycopy(buf, 0, newBuf, 0, count);
|
System.arraycopy(buf, 0, newBuf, 0, count);
|
||||||
buf = newBuf;
|
buf = newBuf;
|
||||||
}
|
}
|
||||||
@ -406,16 +444,17 @@ abstract class OutputRecord
|
|||||||
return Authenticator.toLong(sequenceNumber);
|
return Authenticator.toLong(sequenceNumber);
|
||||||
}
|
}
|
||||||
|
|
||||||
long t10Encrypt(
|
private long t10Encrypt(
|
||||||
SSLWriteCipher encCipher, byte contentType, int headerSize) {
|
SSLWriteCipher encCipher, byte contentType, int headerSize) {
|
||||||
byte[] sequenceNumber = encCipher.authenticator.sequenceNumber();
|
byte[] sequenceNumber = encCipher.authenticator.sequenceNumber();
|
||||||
int position = headerSize + writeCipher.getExplicitNonceSize();
|
int position = headerSize + writeCipher.getExplicitNonceSize();
|
||||||
int contentLen = count - position;
|
int contentLen = count - position;
|
||||||
|
|
||||||
// ensure the capacity
|
// ensure the capacity
|
||||||
int packetSize = encCipher.calculatePacketSize(contentLen, headerSize);
|
int requiredPacketSize =
|
||||||
if (packetSize > buf.length) {
|
encCipher.calculatePacketSize(contentLen, headerSize);
|
||||||
byte[] newBuf = new byte[packetSize];
|
if (requiredPacketSize > buf.length) {
|
||||||
|
byte[] newBuf = new byte[requiredPacketSize];
|
||||||
System.arraycopy(buf, 0, newBuf, 0, count);
|
System.arraycopy(buf, 0, newBuf, 0, count);
|
||||||
buf = newBuf;
|
buf = newBuf;
|
||||||
}
|
}
|
||||||
|
@ -96,6 +96,10 @@ final class SSLConfiguration implements Cloneable {
|
|||||||
static final boolean useCompatibilityMode = Utilities.getBooleanProperty(
|
static final boolean useCompatibilityMode = Utilities.getBooleanProperty(
|
||||||
"jdk.tls.client.useCompatibilityMode", true);
|
"jdk.tls.client.useCompatibilityMode", true);
|
||||||
|
|
||||||
|
// Respond a close_notify alert if receiving close_notify alert.
|
||||||
|
static final boolean acknowledgeCloseNotify = Utilities.getBooleanProperty(
|
||||||
|
"jdk.tls.acknowledgeCloseNotify", false);
|
||||||
|
|
||||||
// TODO: Please remove after TLS 1.3 draft interop testing
|
// TODO: Please remove after TLS 1.3 draft interop testing
|
||||||
// delete me
|
// delete me
|
||||||
static int tls13VN;
|
static int tls13VN;
|
||||||
|
@ -155,6 +155,7 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
|
|||||||
ByteBuffer[] srcs, int srcsOffset, int srcsLength,
|
ByteBuffer[] srcs, int srcsOffset, int srcsLength,
|
||||||
ByteBuffer[] dsts, int dstsOffset, int dstsLength) throws IOException {
|
ByteBuffer[] dsts, int dstsOffset, int dstsLength) throws IOException {
|
||||||
|
|
||||||
|
// May need to deliver cached records.
|
||||||
if (isOutboundDone()) {
|
if (isOutboundDone()) {
|
||||||
return new SSLEngineResult(
|
return new SSLEngineResult(
|
||||||
Status.CLOSED, getHandshakeStatus(), 0, 0);
|
Status.CLOSED, getHandshakeStatus(), 0, 0);
|
||||||
@ -162,8 +163,9 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
|
|||||||
|
|
||||||
HandshakeContext hc = conContext.handshakeContext;
|
HandshakeContext hc = conContext.handshakeContext;
|
||||||
HandshakeStatus hsStatus = null;
|
HandshakeStatus hsStatus = null;
|
||||||
if (!conContext.isNegotiated &&
|
if (!conContext.isNegotiated && !conContext.isBroken &&
|
||||||
!conContext.isClosed() && !conContext.isBroken) {
|
!conContext.isInboundClosed() &&
|
||||||
|
!conContext.isOutboundClosed()) {
|
||||||
conContext.kickstart();
|
conContext.kickstart();
|
||||||
|
|
||||||
hsStatus = getHandshakeStatus();
|
hsStatus = getHandshakeStatus();
|
||||||
@ -315,7 +317,8 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Is the sequence number is nearly overflow?
|
// Is the sequence number is nearly overflow?
|
||||||
if (conContext.outputRecord.seqNumIsHuge()) {
|
if (conContext.outputRecord.seqNumIsHuge() ||
|
||||||
|
conContext.outputRecord.writeCipher.atKeyLimit()) {
|
||||||
hsStatus = tryKeyUpdate(hsStatus);
|
hsStatus = tryKeyUpdate(hsStatus);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -343,25 +346,29 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Try renegotiation or key update for sequence number wrap.
|
* Try key update for sequence number wrap or key usage limit.
|
||||||
*
|
*
|
||||||
* Note that in order to maintain the handshake status properly, we check
|
* Note that in order to maintain the handshake status properly, we check
|
||||||
* the sequence number after the last record reading/writing process. As
|
* the sequence number and key usage limit after the last record
|
||||||
* we request renegotiation or close the connection for wrapped sequence
|
* reading/writing process.
|
||||||
|
*
|
||||||
|
* As we request renegotiation or close the connection for wrapped sequence
|
||||||
* number when there is enough sequence number space left to handle a few
|
* number when there is enough sequence number space left to handle a few
|
||||||
* more records, so the sequence number of the last record cannot be
|
* more records, so the sequence number of the last record cannot be
|
||||||
* wrapped.
|
* wrapped.
|
||||||
*/
|
*/
|
||||||
private HandshakeStatus tryKeyUpdate(
|
private HandshakeStatus tryKeyUpdate(
|
||||||
HandshakeStatus currentHandshakeStatus) throws IOException {
|
HandshakeStatus currentHandshakeStatus) throws IOException {
|
||||||
// Don't bother to kickstart the renegotiation or key update when the
|
// Don't bother to kickstart if handshaking is in progress, or if the
|
||||||
// local is asking for it.
|
// connection is not duplex-open.
|
||||||
if ((conContext.handshakeContext == null) &&
|
if ((conContext.handshakeContext == null) &&
|
||||||
!conContext.isClosed() && !conContext.isBroken) {
|
!conContext.isOutboundClosed() &&
|
||||||
|
!conContext.isInboundClosed() &&
|
||||||
|
!conContext.isBroken) {
|
||||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
SSLLogger.finest("key update to wrap sequence number");
|
SSLLogger.finest("trigger key update");
|
||||||
}
|
}
|
||||||
conContext.keyUpdate();
|
beginHandshake();
|
||||||
return conContext.getHandshakeStatus();
|
return conContext.getHandshakeStatus();
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -471,8 +478,9 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
|
|||||||
}
|
}
|
||||||
|
|
||||||
HandshakeStatus hsStatus = null;
|
HandshakeStatus hsStatus = null;
|
||||||
if (!conContext.isNegotiated &&
|
if (!conContext.isNegotiated && !conContext.isBroken &&
|
||||||
!conContext.isClosed() && !conContext.isBroken) {
|
!conContext.isInboundClosed() &&
|
||||||
|
!conContext.isOutboundClosed()) {
|
||||||
conContext.kickstart();
|
conContext.kickstart();
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -677,7 +685,8 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Is the sequence number is nearly overflow?
|
// Is the sequence number is nearly overflow?
|
||||||
if (conContext.inputRecord.seqNumIsHuge()) {
|
if (conContext.inputRecord.seqNumIsHuge() ||
|
||||||
|
conContext.inputRecord.readCipher.atKeyLimit()) {
|
||||||
pt.handshakeStatus =
|
pt.handshakeStatus =
|
||||||
tryKeyUpdate(pt.handshakeStatus);
|
tryKeyUpdate(pt.handshakeStatus);
|
||||||
}
|
}
|
||||||
@ -700,16 +709,42 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
|
|||||||
|
|
||||||
@Override
|
@Override
|
||||||
public synchronized void closeInbound() throws SSLException {
|
public synchronized void closeInbound() throws SSLException {
|
||||||
|
if (isInboundDone()) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.finest("Closing inbound of SSLEngine");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Is it ready to close inbound?
|
||||||
|
//
|
||||||
|
// No need to throw exception if the initial handshake is not started.
|
||||||
|
if (!conContext.isInputCloseNotified &&
|
||||||
|
(conContext.isNegotiated || conContext.handshakeContext != null)) {
|
||||||
|
|
||||||
|
conContext.fatal(Alert.INTERNAL_ERROR,
|
||||||
|
"closing inbound before receiving peer's close_notify");
|
||||||
|
}
|
||||||
|
|
||||||
conContext.closeInbound();
|
conContext.closeInbound();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public synchronized boolean isInboundDone() {
|
public synchronized boolean isInboundDone() {
|
||||||
return conContext.isInboundDone();
|
return conContext.isInboundClosed();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public synchronized void closeOutbound() {
|
public synchronized void closeOutbound() {
|
||||||
|
if (conContext.isOutboundClosed()) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.finest("Closing outbound of SSLEngine");
|
||||||
|
}
|
||||||
|
|
||||||
conContext.closeOutbound();
|
conContext.closeOutbound();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -34,8 +34,6 @@ import javax.net.ssl.SSLException;
|
|||||||
import javax.net.ssl.SSLHandshakeException;
|
import javax.net.ssl.SSLHandshakeException;
|
||||||
import javax.net.ssl.SSLProtocolException;
|
import javax.net.ssl.SSLProtocolException;
|
||||||
import sun.security.ssl.SSLCipher.SSLReadCipher;
|
import sun.security.ssl.SSLCipher.SSLReadCipher;
|
||||||
import sun.security.ssl.KeyUpdate.KeyUpdateMessage;
|
|
||||||
import sun.security.ssl.KeyUpdate.KeyUpdateRequest;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* {@code InputRecord} implementation for {@code SSLEngine}.
|
* {@code InputRecord} implementation for {@code SSLEngine}.
|
||||||
@ -300,7 +298,7 @@ final class SSLEngineInputRecord extends InputRecord implements SSLRecord {
|
|||||||
handshakeBuffer.put(handshakeFrag);
|
handshakeBuffer.put(handshakeFrag);
|
||||||
handshakeBuffer.rewind();
|
handshakeBuffer.rewind();
|
||||||
break;
|
break;
|
||||||
} if (remaining == handshakeMessageLen) {
|
} else if (remaining == handshakeMessageLen) {
|
||||||
if (handshakeHash.isHashable(handshakeType)) {
|
if (handshakeHash.isHashable(handshakeType)) {
|
||||||
handshakeHash.receive(handshakeFrag);
|
handshakeHash.receive(handshakeFrag);
|
||||||
}
|
}
|
||||||
@ -333,20 +331,6 @@ final class SSLEngineInputRecord extends InputRecord implements SSLRecord {
|
|||||||
return plaintexts.toArray(new Plaintext[0]);
|
return plaintexts.toArray(new Plaintext[0]);
|
||||||
}
|
}
|
||||||
|
|
||||||
// KeyLimit check during application data.
|
|
||||||
// atKeyLimit() inactive when limits not checked, tc set when limits
|
|
||||||
// are active.
|
|
||||||
|
|
||||||
if (readCipher.atKeyLimit()) {
|
|
||||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
|
||||||
SSLLogger.fine("KeyUpdate: triggered, read side.");
|
|
||||||
}
|
|
||||||
|
|
||||||
PostHandshakeContext p = new PostHandshakeContext(tc);
|
|
||||||
KeyUpdate.handshakeProducer.produce(p,
|
|
||||||
new KeyUpdateMessage(p, KeyUpdateRequest.REQUESTED));
|
|
||||||
}
|
|
||||||
|
|
||||||
return new Plaintext[] {
|
return new Plaintext[] {
|
||||||
new Plaintext(contentType,
|
new Plaintext(contentType,
|
||||||
majorVersion, minorVersion, -1, -1L, fragment)
|
majorVersion, minorVersion, -1, -1L, fragment)
|
||||||
|
@ -31,8 +31,6 @@ import java.util.LinkedList;
|
|||||||
import javax.net.ssl.SSLHandshakeException;
|
import javax.net.ssl.SSLHandshakeException;
|
||||||
|
|
||||||
import sun.security.ssl.SSLCipher.SSLWriteCipher;
|
import sun.security.ssl.SSLCipher.SSLWriteCipher;
|
||||||
import sun.security.ssl.KeyUpdate.KeyUpdateMessage;
|
|
||||||
import sun.security.ssl.KeyUpdate.KeyUpdateRequest;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* {@code OutputRecord} implementation for {@code SSLEngine}.
|
* {@code OutputRecord} implementation for {@code SSLEngine}.
|
||||||
@ -43,7 +41,7 @@ final class SSLEngineOutputRecord extends OutputRecord implements SSLRecord {
|
|||||||
private boolean isTalkingToV2 = false; // SSLv2Hello
|
private boolean isTalkingToV2 = false; // SSLv2Hello
|
||||||
private ByteBuffer v2ClientHello = null; // SSLv2Hello
|
private ByteBuffer v2ClientHello = null; // SSLv2Hello
|
||||||
|
|
||||||
private boolean isCloseWaiting = false;
|
private volatile boolean isCloseWaiting = false;
|
||||||
|
|
||||||
SSLEngineOutputRecord(HandshakeHash handshakeHash) {
|
SSLEngineOutputRecord(HandshakeHash handshakeHash) {
|
||||||
super(handshakeHash, SSLWriteCipher.nullTlsWriteCipher());
|
super(handshakeHash, SSLWriteCipher.nullTlsWriteCipher());
|
||||||
@ -63,8 +61,20 @@ final class SSLEngineOutputRecord extends OutputRecord implements SSLRecord {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
boolean isClosed() {
|
||||||
|
return isClosed || isCloseWaiting;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
void encodeAlert(byte level, byte description) throws IOException {
|
void encodeAlert(byte level, byte description) throws IOException {
|
||||||
|
if (isClosed()) {
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.warning("outbound has closed, ignore outbound " +
|
||||||
|
"alert message: " + Alert.nameOf(description));
|
||||||
|
}
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
if (fragmenter == null) {
|
if (fragmenter == null) {
|
||||||
fragmenter = new HandshakeFragment();
|
fragmenter = new HandshakeFragment();
|
||||||
}
|
}
|
||||||
@ -75,6 +85,14 @@ final class SSLEngineOutputRecord extends OutputRecord implements SSLRecord {
|
|||||||
@Override
|
@Override
|
||||||
void encodeHandshake(byte[] source,
|
void encodeHandshake(byte[] source,
|
||||||
int offset, int length) throws IOException {
|
int offset, int length) throws IOException {
|
||||||
|
if (isClosed()) {
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.warning("outbound has closed, ignore outbound " +
|
||||||
|
"handshake message",
|
||||||
|
ByteBuffer.wrap(source, offset, length));
|
||||||
|
}
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
if (fragmenter == null) {
|
if (fragmenter == null) {
|
||||||
fragmenter = new HandshakeFragment();
|
fragmenter = new HandshakeFragment();
|
||||||
@ -114,6 +132,14 @@ final class SSLEngineOutputRecord extends OutputRecord implements SSLRecord {
|
|||||||
|
|
||||||
@Override
|
@Override
|
||||||
void encodeChangeCipherSpec() throws IOException {
|
void encodeChangeCipherSpec() throws IOException {
|
||||||
|
if (isClosed()) {
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.warning("outbound has closed, ignore outbound " +
|
||||||
|
"change_cipher_spec message");
|
||||||
|
}
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
if (fragmenter == null) {
|
if (fragmenter == null) {
|
||||||
fragmenter = new HandshakeFragment();
|
fragmenter = new HandshakeFragment();
|
||||||
}
|
}
|
||||||
@ -129,6 +155,23 @@ final class SSLEngineOutputRecord extends OutputRecord implements SSLRecord {
|
|||||||
Ciphertext encode(
|
Ciphertext encode(
|
||||||
ByteBuffer[] srcs, int srcsOffset, int srcsLength,
|
ByteBuffer[] srcs, int srcsOffset, int srcsLength,
|
||||||
ByteBuffer[] dsts, int dstsOffset, int dstsLength) throws IOException {
|
ByteBuffer[] dsts, int dstsOffset, int dstsLength) throws IOException {
|
||||||
|
|
||||||
|
if (isClosed) {
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.warning("outbound has closed, ignore outbound " +
|
||||||
|
"application data or cached messages");
|
||||||
|
}
|
||||||
|
|
||||||
|
return null;
|
||||||
|
} else if (isCloseWaiting) {
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.warning("outbound has closed, ignore outbound " +
|
||||||
|
"application data");
|
||||||
|
}
|
||||||
|
|
||||||
|
srcs = null; // use no application data.
|
||||||
|
}
|
||||||
|
|
||||||
return encode(srcs, srcsOffset, srcsLength, dsts[0]);
|
return encode(srcs, srcsOffset, srcsLength, dsts[0]);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -248,25 +291,14 @@ final class SSLEngineOutputRecord extends OutputRecord implements SSLRecord {
|
|||||||
if (isFirstAppOutputRecord) {
|
if (isFirstAppOutputRecord) {
|
||||||
isFirstAppOutputRecord = false;
|
isFirstAppOutputRecord = false;
|
||||||
}
|
}
|
||||||
|
|
||||||
// atKeyLimit() inactive when limits not checked, tc set when limits
|
|
||||||
// are active.
|
|
||||||
if (writeCipher.atKeyLimit()) {
|
|
||||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
|
||||||
SSLLogger.fine("KeyUpdate: triggered, write side.");
|
|
||||||
}
|
|
||||||
|
|
||||||
PostHandshakeContext p = new PostHandshakeContext(tc);
|
|
||||||
KeyUpdate.handshakeProducer.produce(p,
|
|
||||||
new KeyUpdateMessage(p, KeyUpdateRequest.REQUESTED));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return new Ciphertext(ContentType.APPLICATION_DATA.id,
|
return new Ciphertext(ContentType.APPLICATION_DATA.id,
|
||||||
SSLHandshake.NOT_APPLICABLE.id, recordSN);
|
SSLHandshake.NOT_APPLICABLE.id, recordSN);
|
||||||
}
|
}
|
||||||
|
|
||||||
private Ciphertext acquireCiphertext(ByteBuffer destination) throws IOException {
|
private Ciphertext acquireCiphertext(
|
||||||
|
ByteBuffer destination) throws IOException {
|
||||||
if (isTalkingToV2) { // SSLv2Hello
|
if (isTalkingToV2) { // SSLv2Hello
|
||||||
// We don't support SSLv2. Send an SSLv2 error message
|
// We don't support SSLv2. Send an SSLv2 error message
|
||||||
// so that the connection can be closed gracefully.
|
// so that the connection can be closed gracefully.
|
||||||
@ -517,7 +549,7 @@ final class SSLEngineOutputRecord extends OutputRecord implements SSLRecord {
|
|||||||
|
|
||||||
boolean hasAlert() {
|
boolean hasAlert() {
|
||||||
for (RecordMemo memo : handshakeMemos) {
|
for (RecordMemo memo : handshakeMemos) {
|
||||||
if (memo.contentType == ContentType.ALERT.id) {
|
if (memo.contentType == ContentType.ALERT.id) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -366,6 +366,7 @@ enum SSLHandshake implements SSLConsumer, HandshakeProducer {
|
|||||||
SSLHandshake(byte id, String name,
|
SSLHandshake(byte id, String name,
|
||||||
Map.Entry<SSLConsumer, ProtocolVersion[]>[] handshakeConsumers,
|
Map.Entry<SSLConsumer, ProtocolVersion[]>[] handshakeConsumers,
|
||||||
Map.Entry<HandshakeProducer, ProtocolVersion[]>[] handshakeProducers) {
|
Map.Entry<HandshakeProducer, ProtocolVersion[]>[] handshakeProducers) {
|
||||||
|
|
||||||
this(id, name, handshakeConsumers, handshakeProducers,
|
this(id, name, handshakeConsumers, handshakeProducers,
|
||||||
(Map.Entry<HandshakeAbsence, ProtocolVersion[]>[])(
|
(Map.Entry<HandshakeAbsence, ProtocolVersion[]>[])(
|
||||||
new Map.Entry[0]));
|
new Map.Entry[0]));
|
||||||
@ -375,6 +376,7 @@ enum SSLHandshake implements SSLConsumer, HandshakeProducer {
|
|||||||
Map.Entry<SSLConsumer, ProtocolVersion[]>[] handshakeConsumers,
|
Map.Entry<SSLConsumer, ProtocolVersion[]>[] handshakeConsumers,
|
||||||
Map.Entry<HandshakeProducer, ProtocolVersion[]>[] handshakeProducers,
|
Map.Entry<HandshakeProducer, ProtocolVersion[]>[] handshakeProducers,
|
||||||
Map.Entry<HandshakeAbsence, ProtocolVersion[]>[] handshakeAbsence) {
|
Map.Entry<HandshakeAbsence, ProtocolVersion[]>[] handshakeAbsence) {
|
||||||
|
|
||||||
this.id = id;
|
this.id = id;
|
||||||
this.name = name;
|
this.name = name;
|
||||||
this.handshakeConsumers = handshakeConsumers;
|
this.handshakeConsumers = handshakeConsumers;
|
||||||
@ -404,7 +406,12 @@ enum SSLHandshake implements SSLConsumer, HandshakeProducer {
|
|||||||
ProtocolVersion protocolVersion;
|
ProtocolVersion protocolVersion;
|
||||||
if ((hc.negotiatedProtocol == null) ||
|
if ((hc.negotiatedProtocol == null) ||
|
||||||
(hc.negotiatedProtocol == ProtocolVersion.NONE)) {
|
(hc.negotiatedProtocol == ProtocolVersion.NONE)) {
|
||||||
protocolVersion = hc.maximumActiveProtocol;
|
if (hc.conContext.isNegotiated &&
|
||||||
|
hc.conContext.protocolVersion != ProtocolVersion.NONE) {
|
||||||
|
protocolVersion = hc.conContext.protocolVersion;
|
||||||
|
} else {
|
||||||
|
protocolVersion = hc.maximumActiveProtocol;
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
protocolVersion = hc.negotiatedProtocol;
|
protocolVersion = hc.negotiatedProtocol;
|
||||||
}
|
}
|
||||||
@ -444,7 +451,12 @@ enum SSLHandshake implements SSLConsumer, HandshakeProducer {
|
|||||||
ProtocolVersion protocolVersion;
|
ProtocolVersion protocolVersion;
|
||||||
if ((hc.negotiatedProtocol == null) ||
|
if ((hc.negotiatedProtocol == null) ||
|
||||||
(hc.negotiatedProtocol == ProtocolVersion.NONE)) {
|
(hc.negotiatedProtocol == ProtocolVersion.NONE)) {
|
||||||
protocolVersion = hc.maximumActiveProtocol;
|
if (hc.conContext.isNegotiated &&
|
||||||
|
hc.conContext.protocolVersion != ProtocolVersion.NONE) {
|
||||||
|
protocolVersion = hc.conContext.protocolVersion;
|
||||||
|
} else {
|
||||||
|
protocolVersion = hc.maximumActiveProtocol;
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
protocolVersion = hc.negotiatedProtocol;
|
protocolVersion = hc.negotiatedProtocol;
|
||||||
}
|
}
|
||||||
|
@ -82,7 +82,7 @@ public final class SSLSocketImpl
|
|||||||
private String peerHost;
|
private String peerHost;
|
||||||
private boolean autoClose;
|
private boolean autoClose;
|
||||||
private boolean isConnected = false;
|
private boolean isConnected = false;
|
||||||
private boolean tlsIsClosed = false;
|
private volatile boolean tlsIsClosed = false;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Is the local name service trustworthy?
|
* Is the local name service trustworthy?
|
||||||
@ -325,7 +325,7 @@ public final class SSLSocketImpl
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public synchronized SSLSession getSession() {
|
public SSLSession getSession() {
|
||||||
try {
|
try {
|
||||||
// start handshaking, if failed, the connection will be closed.
|
// start handshaking, if failed, the connection will be closed.
|
||||||
ensureNegotiated();
|
ensureNegotiated();
|
||||||
@ -343,7 +343,11 @@ public final class SSLSocketImpl
|
|||||||
@Override
|
@Override
|
||||||
public synchronized SSLSession getHandshakeSession() {
|
public synchronized SSLSession getHandshakeSession() {
|
||||||
if (conContext.handshakeContext != null) {
|
if (conContext.handshakeContext != null) {
|
||||||
return conContext.handshakeContext.handshakeSession;
|
synchronized (this) {
|
||||||
|
if (conContext.handshakeContext != null) {
|
||||||
|
return conContext.handshakeContext.handshakeSession;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
@ -370,23 +374,39 @@ public final class SSLSocketImpl
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public synchronized void startHandshake() throws IOException {
|
public void startHandshake() throws IOException {
|
||||||
checkWrite();
|
if (!isConnected) {
|
||||||
try {
|
throw new SocketException("Socket is not connected");
|
||||||
conContext.kickstart();
|
}
|
||||||
|
|
||||||
// All initial handshaking goes through this operation until we
|
if (conContext.isBroken || conContext.isInboundClosed() ||
|
||||||
// have a valid SSL connection.
|
conContext.isOutboundClosed()) {
|
||||||
//
|
throw new SocketException("Socket has been closed or broken");
|
||||||
// Handle handshake messages only, need no application data.
|
}
|
||||||
if (!conContext.isNegotiated) {
|
|
||||||
readRecord();
|
synchronized (conContext) { // handshake lock
|
||||||
|
// double check the context status
|
||||||
|
if (conContext.isBroken || conContext.isInboundClosed() ||
|
||||||
|
conContext.isOutboundClosed()) {
|
||||||
|
throw new SocketException("Socket has been closed or broken");
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
conContext.kickstart();
|
||||||
|
|
||||||
|
// All initial handshaking goes through this operation until we
|
||||||
|
// have a valid SSL connection.
|
||||||
|
//
|
||||||
|
// Handle handshake messages only, need no application data.
|
||||||
|
if (!conContext.isNegotiated) {
|
||||||
|
readHandshakeRecord();
|
||||||
|
}
|
||||||
|
} catch (IOException ioe) {
|
||||||
|
conContext.fatal(Alert.HANDSHAKE_FAILURE,
|
||||||
|
"Couldn't kickstart handshaking", ioe);
|
||||||
|
} catch (Exception oe) { // including RuntimeException
|
||||||
|
handleException(oe);
|
||||||
}
|
}
|
||||||
} catch (IOException ioe) {
|
|
||||||
conContext.fatal(Alert.HANDSHAKE_FAILURE,
|
|
||||||
"Couldn't kickstart handshaking", ioe);
|
|
||||||
} catch (Exception oe) { // including RuntimeException
|
|
||||||
handleException(oe);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -437,44 +457,264 @@ public final class SSLSocketImpl
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public synchronized boolean isClosed() {
|
public boolean isClosed() {
|
||||||
return tlsIsClosed && conContext.isClosed();
|
return tlsIsClosed;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Please don't synchronized this method. Otherwise, the read and close
|
||||||
|
// locks may be deadlocked.
|
||||||
@Override
|
@Override
|
||||||
public synchronized void close() throws IOException {
|
public void close() throws IOException {
|
||||||
|
if (tlsIsClosed) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.fine("duplex close of SSLSocket");
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
conContext.close();
|
// shutdown output bound, which may have been closed previously.
|
||||||
|
if (!isOutputShutdown()) {
|
||||||
|
duplexCloseOutput();
|
||||||
|
}
|
||||||
|
|
||||||
|
// shutdown input bound, which may have been closed previously.
|
||||||
|
if (!isInputShutdown()) {
|
||||||
|
duplexCloseInput();
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!isClosed()) {
|
||||||
|
// close the connection directly
|
||||||
|
closeSocket(false);
|
||||||
|
}
|
||||||
} catch (IOException ioe) {
|
} catch (IOException ioe) {
|
||||||
// ignore the exception
|
// ignore the exception
|
||||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
SSLLogger.warning("connection context closure failed", ioe);
|
SSLLogger.warning("SSLSocket duplex close failed", ioe);
|
||||||
}
|
}
|
||||||
} finally {
|
} finally {
|
||||||
tlsIsClosed = true;
|
tlsIsClosed = true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Duplex close, start from closing outbound.
|
||||||
|
*
|
||||||
|
* For TLS 1.2 [RFC 5246], unless some other fatal alert has been
|
||||||
|
* transmitted, each party is required to send a close_notify alert
|
||||||
|
* before closing the write side of the connection. The other party
|
||||||
|
* MUST respond with a close_notify alert of its own and close down
|
||||||
|
* the connection immediately, discarding any pending writes. It is
|
||||||
|
* not required for the initiator of the close to wait for the responding
|
||||||
|
* close_notify alert before closing the read side of the connection.
|
||||||
|
*
|
||||||
|
* For TLS 1.3, Each party MUST send a close_notify alert before
|
||||||
|
* closing its write side of the connection, unless it has already sent
|
||||||
|
* some error alert. This does not have any effect on its read side of
|
||||||
|
* the connection. Both parties need not wait to receive a close_notify
|
||||||
|
* alert before closing their read side of the connection, though doing
|
||||||
|
* so would introduce the possibility of truncation.
|
||||||
|
*
|
||||||
|
* In order to support user initiated duplex-close for TLS 1.3 connections,
|
||||||
|
* the user_canceled alert is used together with the close_notify alert.
|
||||||
|
*/
|
||||||
|
private void duplexCloseOutput() throws IOException {
|
||||||
|
boolean useUserCanceled = false;
|
||||||
|
boolean hasCloseReceipt = false;
|
||||||
|
if (conContext.isNegotiated) {
|
||||||
|
if (!conContext.protocolVersion.useTLS13PlusSpec()) {
|
||||||
|
hasCloseReceipt = true;
|
||||||
|
} else {
|
||||||
|
// Use a user_canceled alert for TLS 1.3 duplex close.
|
||||||
|
useUserCanceled = true;
|
||||||
|
}
|
||||||
|
} else if (conContext.handshakeContext != null) { // initial handshake
|
||||||
|
// Use user_canceled alert regardless the protocol versions.
|
||||||
|
useUserCanceled = true;
|
||||||
|
|
||||||
|
// The protocol version may have been negotiated.
|
||||||
|
ProtocolVersion pv = conContext.handshakeContext.negotiatedProtocol;
|
||||||
|
if (pv == null || (!pv.useTLS13PlusSpec())) {
|
||||||
|
hasCloseReceipt = true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Need a lock here so that the user_canceled alert and the
|
||||||
|
// close_notify alert can be delivered together.
|
||||||
|
try {
|
||||||
|
synchronized (conContext.outputRecord) {
|
||||||
|
// send a user_canceled alert if needed.
|
||||||
|
if (useUserCanceled) {
|
||||||
|
conContext.warning(Alert.USER_CANCELED);
|
||||||
|
}
|
||||||
|
|
||||||
|
// send a close_notify alert
|
||||||
|
conContext.warning(Alert.CLOSE_NOTIFY);
|
||||||
|
}
|
||||||
|
} finally {
|
||||||
|
if (!conContext.isOutboundClosed()) {
|
||||||
|
conContext.outputRecord.close();
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((autoClose || !isLayered()) && !super.isOutputShutdown()) {
|
||||||
|
super.shutdownOutput();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!isInputShutdown()) {
|
||||||
|
bruteForceCloseInput(hasCloseReceipt);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Duplex close, start from closing inbound.
|
||||||
|
*
|
||||||
|
* This method should only be called when the outbound has been closed,
|
||||||
|
* but the inbound is still open.
|
||||||
|
*/
|
||||||
|
private void duplexCloseInput() throws IOException {
|
||||||
|
boolean hasCloseReceipt = false;
|
||||||
|
if (conContext.isNegotiated &&
|
||||||
|
!conContext.protocolVersion.useTLS13PlusSpec()) {
|
||||||
|
hasCloseReceipt = true;
|
||||||
|
} // No close receipt if handshake has no completed.
|
||||||
|
|
||||||
|
bruteForceCloseInput(hasCloseReceipt);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Brute force close the input bound.
|
||||||
|
*
|
||||||
|
* This method should only be called when the outbound has been closed,
|
||||||
|
* but the inbound is still open.
|
||||||
|
*/
|
||||||
|
private void bruteForceCloseInput(
|
||||||
|
boolean hasCloseReceipt) throws IOException {
|
||||||
|
if (hasCloseReceipt) {
|
||||||
|
// It is not required for the initiator of the close to wait for
|
||||||
|
// the responding close_notify alert before closing the read side
|
||||||
|
// of the connection. However, if the application protocol using
|
||||||
|
// TLS provides that any data may be carried over the underlying
|
||||||
|
// transport after the TLS connection is closed, the TLS
|
||||||
|
// implementation MUST receive a "close_notify" alert before
|
||||||
|
// indicating end-of-data to the application-layer.
|
||||||
|
try {
|
||||||
|
this.shutdown();
|
||||||
|
} finally {
|
||||||
|
if (!isInputShutdown()) {
|
||||||
|
shutdownInput(false);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if (!conContext.isInboundClosed()) {
|
||||||
|
conContext.inputRecord.close();
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((autoClose || !isLayered()) && !super.isInputShutdown()) {
|
||||||
|
super.shutdownInput();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Please don't synchronized this method. Otherwise, the read and close
|
||||||
|
// locks may be deadlocked.
|
||||||
|
@Override
|
||||||
|
public void shutdownInput() throws IOException {
|
||||||
|
shutdownInput(true);
|
||||||
|
}
|
||||||
|
|
||||||
|
// It is not required to check the close_notify receipt unless an
|
||||||
|
// application call shutdownInput() explicitly.
|
||||||
|
private void shutdownInput(
|
||||||
|
boolean checkCloseNotify) throws IOException {
|
||||||
|
if (isInputShutdown()) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.fine("close inbound of SSLSocket");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Is it ready to close inbound?
|
||||||
|
//
|
||||||
|
// No need to throw exception if the initial handshake is not started.
|
||||||
|
if (checkCloseNotify && !conContext.isInputCloseNotified &&
|
||||||
|
(conContext.isNegotiated || conContext.handshakeContext != null)) {
|
||||||
|
|
||||||
|
conContext.fatal(Alert.INTERNAL_ERROR,
|
||||||
|
"closing inbound before receiving peer's close_notify");
|
||||||
|
}
|
||||||
|
|
||||||
|
conContext.closeInbound();
|
||||||
|
if ((autoClose || !isLayered()) && !super.isInputShutdown()) {
|
||||||
|
super.shutdownInput();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean isInputShutdown() {
|
||||||
|
return conContext.isInboundClosed() &&
|
||||||
|
((autoClose || !isLayered()) ? super.isInputShutdown(): true);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Please don't synchronized this method. Otherwise, the read and close
|
||||||
|
// locks may be deadlocked.
|
||||||
|
@Override
|
||||||
|
public void shutdownOutput() throws IOException {
|
||||||
|
if (isOutputShutdown()) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.fine("close outbound of SSLSocket");
|
||||||
|
}
|
||||||
|
conContext.closeOutbound();
|
||||||
|
|
||||||
|
if ((autoClose || !isLayered()) && !super.isOutputShutdown()) {
|
||||||
|
super.shutdownOutput();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean isOutputShutdown() {
|
||||||
|
return conContext.isOutboundClosed() &&
|
||||||
|
((autoClose || !isLayered()) ? super.isOutputShutdown(): true);
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public synchronized InputStream getInputStream() throws IOException {
|
public synchronized InputStream getInputStream() throws IOException {
|
||||||
if (isClosed() || conContext.isInboundDone()) {
|
if (isClosed()) {
|
||||||
throw new SocketException("Socket or inbound is closed");
|
throw new SocketException("Socket is closed");
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!isConnected) {
|
if (!isConnected) {
|
||||||
throw new SocketException("Socket is not connected");
|
throw new SocketException("Socket is not connected");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (conContext.isInboundClosed() || isInputShutdown()) {
|
||||||
|
throw new SocketException("Socket input is already shutdown");
|
||||||
|
}
|
||||||
|
|
||||||
return appInput;
|
return appInput;
|
||||||
}
|
}
|
||||||
|
|
||||||
private synchronized void ensureNegotiated() throws IOException {
|
private void ensureNegotiated() throws IOException {
|
||||||
if (conContext.isNegotiated ||
|
if (conContext.isNegotiated || conContext.isBroken ||
|
||||||
conContext.isClosed() || conContext.isBroken) {
|
conContext.isInboundClosed() || conContext.isOutboundClosed()) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
startHandshake();
|
synchronized (conContext) { // handshake lock
|
||||||
|
// double check the context status
|
||||||
|
if (conContext.isNegotiated || conContext.isBroken ||
|
||||||
|
conContext.isInboundClosed() ||
|
||||||
|
conContext.isOutboundClosed()) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
startHandshake();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -489,7 +729,7 @@ public final class SSLSocketImpl
|
|||||||
private ByteBuffer buffer;
|
private ByteBuffer buffer;
|
||||||
|
|
||||||
// Is application data available in the stream?
|
// Is application data available in the stream?
|
||||||
private boolean appDataIsAvailable;
|
private volatile boolean appDataIsAvailable;
|
||||||
|
|
||||||
AppInputStream() {
|
AppInputStream() {
|
||||||
this.appDataIsAvailable = false;
|
this.appDataIsAvailable = false;
|
||||||
@ -514,7 +754,7 @@ public final class SSLSocketImpl
|
|||||||
* Read a single byte, returning -1 on non-fault EOF status.
|
* Read a single byte, returning -1 on non-fault EOF status.
|
||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public synchronized int read() throws IOException {
|
public int read() throws IOException {
|
||||||
int n = read(oneByte, 0, 1);
|
int n = read(oneByte, 0, 1);
|
||||||
if (n <= 0) { // EOF
|
if (n <= 0) { // EOF
|
||||||
return -1;
|
return -1;
|
||||||
@ -536,7 +776,7 @@ public final class SSLSocketImpl
|
|||||||
* and returning "-1" on non-fault EOF status.
|
* and returning "-1" on non-fault EOF status.
|
||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public synchronized int read(byte[] b, int off, int len)
|
public int read(byte[] b, int off, int len)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
if (b == null) {
|
if (b == null) {
|
||||||
throw new NullPointerException("the target buffer is null");
|
throw new NullPointerException("the target buffer is null");
|
||||||
@ -553,75 +793,54 @@ public final class SSLSocketImpl
|
|||||||
}
|
}
|
||||||
|
|
||||||
// start handshaking if the connection has not been negotiated.
|
// start handshaking if the connection has not been negotiated.
|
||||||
if (!conContext.isNegotiated &&
|
if (!conContext.isNegotiated && !conContext.isBroken &&
|
||||||
!conContext.isClosed() && !conContext.isBroken) {
|
!conContext.isInboundClosed() &&
|
||||||
|
!conContext.isOutboundClosed()) {
|
||||||
ensureNegotiated();
|
ensureNegotiated();
|
||||||
}
|
}
|
||||||
|
|
||||||
// Read the available bytes at first.
|
// Check if the Socket is invalid (error or closed).
|
||||||
int remains = available();
|
if (!conContext.isNegotiated ||
|
||||||
if (remains > 0) {
|
conContext.isBroken || conContext.isInboundClosed()) {
|
||||||
int howmany = Math.min(remains, len);
|
throw new SocketException("Connection or inbound has closed");
|
||||||
buffer.get(b, off, howmany);
|
|
||||||
|
|
||||||
return howmany;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
appDataIsAvailable = false;
|
// Read the available bytes at first.
|
||||||
int volume = 0;
|
//
|
||||||
try {
|
// Note that the receiving and processing of post-handshake message
|
||||||
/*
|
// are also synchronized with the read lock.
|
||||||
* Read data if needed ... notice that the connection
|
synchronized (this) {
|
||||||
* guarantees that handshake, alert, and change cipher spec
|
int remains = available();
|
||||||
* data streams are handled as they arrive, so we never
|
if (remains > 0) {
|
||||||
* see them here.
|
int howmany = Math.min(remains, len);
|
||||||
*/
|
buffer.get(b, off, howmany);
|
||||||
while (volume == 0) {
|
|
||||||
// Clear the buffer for a new record reading.
|
|
||||||
buffer.clear();
|
|
||||||
|
|
||||||
// grow the buffer if needed
|
return howmany;
|
||||||
int inLen = conContext.inputRecord.bytesInCompletePacket();
|
|
||||||
if (inLen < 0) { // EOF
|
|
||||||
handleEOF(null);
|
|
||||||
|
|
||||||
// if no exception thrown
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Is this packet bigger than SSL/TLS normally allows?
|
|
||||||
if (inLen > SSLRecord.maxLargeRecordSize) {
|
|
||||||
throw new SSLProtocolException(
|
|
||||||
"Illegal packet size: " + inLen);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (inLen > buffer.remaining()) {
|
|
||||||
buffer = ByteBuffer.allocate(inLen);
|
|
||||||
}
|
|
||||||
|
|
||||||
volume = readRecord(buffer);
|
|
||||||
buffer.flip();
|
|
||||||
if (volume < 0) { // EOF
|
|
||||||
// treat like receiving a close_notify warning message.
|
|
||||||
conContext.isInputCloseNotified = true;
|
|
||||||
conContext.closeInbound();
|
|
||||||
return -1;
|
|
||||||
} else if (volume > 0) {
|
|
||||||
appDataIsAvailable = true;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// file the destination buffer
|
appDataIsAvailable = false;
|
||||||
int howmany = Math.min(len, volume);
|
try {
|
||||||
buffer.get(b, off, howmany);
|
ByteBuffer bb = readApplicationRecord(buffer);
|
||||||
return howmany;
|
if (bb == null) { // EOF
|
||||||
} catch (Exception e) { // including RuntimeException
|
return -1;
|
||||||
// shutdown and rethrow (wrapped) exception as appropriate
|
} else {
|
||||||
handleException(e);
|
// The buffer may be reallocated for bigger capacity.
|
||||||
|
buffer = bb;
|
||||||
|
}
|
||||||
|
|
||||||
// dummy for compiler
|
bb.flip();
|
||||||
return -1;
|
int volume = Math.min(len, bb.remaining());
|
||||||
|
buffer.get(b, off, volume);
|
||||||
|
appDataIsAvailable = true;
|
||||||
|
|
||||||
|
return volume;
|
||||||
|
} catch (Exception e) { // including RuntimeException
|
||||||
|
// shutdown and rethrow (wrapped) exception as appropriate
|
||||||
|
handleException(e);
|
||||||
|
|
||||||
|
// dummy for compiler
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -658,20 +877,53 @@ public final class SSLSocketImpl
|
|||||||
SSLLogger.finest("Closing input stream");
|
SSLLogger.finest("Closing input stream");
|
||||||
}
|
}
|
||||||
|
|
||||||
conContext.closeInbound();
|
try {
|
||||||
|
shutdownInput(false);
|
||||||
|
} catch (IOException ioe) {
|
||||||
|
// ignore the exception
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.warning("input stream close failed", ioe);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return whether we have reached end-of-file.
|
||||||
|
*
|
||||||
|
* If the socket is not connected, has been shutdown because of an error
|
||||||
|
* or has been closed, throw an Exception.
|
||||||
|
*/
|
||||||
|
private boolean checkEOF() throws IOException {
|
||||||
|
if (conContext.isInboundClosed()) {
|
||||||
|
return true;
|
||||||
|
} else if (conContext.isInputCloseNotified || conContext.isBroken) {
|
||||||
|
if (conContext.closeReason == null) {
|
||||||
|
return true;
|
||||||
|
} else {
|
||||||
|
throw new SSLException(
|
||||||
|
"Connection has closed: " + conContext.closeReason,
|
||||||
|
conContext.closeReason);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public synchronized OutputStream getOutputStream() throws IOException {
|
public synchronized OutputStream getOutputStream() throws IOException {
|
||||||
if (isClosed() || conContext.isOutboundDone()) {
|
if (isClosed()) {
|
||||||
throw new SocketException("Socket or outbound is closed");
|
throw new SocketException("Socket is closed");
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!isConnected) {
|
if (!isConnected) {
|
||||||
throw new SocketException("Socket is not connected");
|
throw new SocketException("Socket is not connected");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (conContext.isOutboundDone() || isOutputShutdown()) {
|
||||||
|
throw new SocketException("Socket output is already shutdown");
|
||||||
|
}
|
||||||
|
|
||||||
return appOutput;
|
return appOutput;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -691,7 +943,7 @@ public final class SSLSocketImpl
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public synchronized void write(byte[] b,
|
public void write(byte[] b,
|
||||||
int off, int len) throws IOException {
|
int off, int len) throws IOException {
|
||||||
if (b == null) {
|
if (b == null) {
|
||||||
throw new NullPointerException("the source buffer is null");
|
throw new NullPointerException("the source buffer is null");
|
||||||
@ -700,25 +952,47 @@ public final class SSLSocketImpl
|
|||||||
"buffer length: " + b.length + ", offset; " + off +
|
"buffer length: " + b.length + ", offset; " + off +
|
||||||
", bytes to read:" + len);
|
", bytes to read:" + len);
|
||||||
} else if (len == 0) {
|
} else if (len == 0) {
|
||||||
|
//
|
||||||
|
// Don't bother to really write empty records. We went this
|
||||||
|
// far to drive the handshake machinery, for correctness; not
|
||||||
|
// writing empty records improves performance by cutting CPU
|
||||||
|
// time and network resource usage. However, some protocol
|
||||||
|
// implementations are fragile and don't like to see empty
|
||||||
|
// records, so this also increases robustness.
|
||||||
|
//
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// start handshaking if the connection has not been negotiated.
|
// Start handshaking if the connection has not been negotiated.
|
||||||
if (!conContext.isNegotiated &&
|
if (!conContext.isNegotiated && !conContext.isBroken &&
|
||||||
!conContext.isClosed() && !conContext.isBroken) {
|
!conContext.isInboundClosed() &&
|
||||||
|
!conContext.isOutboundClosed()) {
|
||||||
ensureNegotiated();
|
ensureNegotiated();
|
||||||
}
|
}
|
||||||
|
|
||||||
// check if the Socket is invalid (error or closed)
|
// Check if the Socket is invalid (error or closed).
|
||||||
checkWrite();
|
if (!conContext.isNegotiated ||
|
||||||
|
conContext.isBroken || conContext.isOutboundClosed()) {
|
||||||
|
throw new SocketException("Connection or outbound has closed");
|
||||||
|
}
|
||||||
|
|
||||||
|
//
|
||||||
|
|
||||||
// Delegate the writing to the underlying socket.
|
// Delegate the writing to the underlying socket.
|
||||||
try {
|
try {
|
||||||
writeRecord(b, off, len);
|
conContext.outputRecord.deliver(b, off, len);
|
||||||
checkWrite();
|
} catch (SSLHandshakeException she) {
|
||||||
} catch (IOException ioe) {
|
// may be record sequence number overflow
|
||||||
// shutdown and rethrow (wrapped) exception as appropriate
|
conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
|
||||||
handleException(ioe);
|
} catch (IOException e) {
|
||||||
|
conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Is the sequence number is nearly overflow, or has the key usage
|
||||||
|
// limit been reached?
|
||||||
|
if (conContext.outputRecord.seqNumIsHuge() ||
|
||||||
|
conContext.outputRecord.writeCipher.atKeyLimit()) {
|
||||||
|
tryKeyUpdate();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -728,7 +1002,14 @@ public final class SSLSocketImpl
|
|||||||
SSLLogger.finest("Closing output stream");
|
SSLLogger.finest("Closing output stream");
|
||||||
}
|
}
|
||||||
|
|
||||||
conContext.closeOutbound();
|
try {
|
||||||
|
shutdownOutput();
|
||||||
|
} catch (IOException ioe) {
|
||||||
|
// ignore the exception
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.warning("output stream close failed", ioe);
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -773,39 +1054,11 @@ public final class SSLSocketImpl
|
|||||||
return conContext.sslConfig.socketAPSelector;
|
return conContext.sslConfig.socketAPSelector;
|
||||||
}
|
}
|
||||||
|
|
||||||
private synchronized void writeRecord(byte[] source,
|
/**
|
||||||
int offset, int length) throws IOException {
|
* Read the initial handshake records.
|
||||||
if (conContext.isOutboundDone()) {
|
*/
|
||||||
throw new SocketException("Socket or outbound closed");
|
private int readHandshakeRecord() throws IOException {
|
||||||
}
|
while (!conContext.isInboundClosed()) {
|
||||||
|
|
||||||
//
|
|
||||||
// Don't bother to really write empty records. We went this
|
|
||||||
// far to drive the handshake machinery, for correctness; not
|
|
||||||
// writing empty records improves performance by cutting CPU
|
|
||||||
// time and network resource usage. However, some protocol
|
|
||||||
// implementations are fragile and don't like to see empty
|
|
||||||
// records, so this also increases robustness.
|
|
||||||
//
|
|
||||||
if (length > 0) {
|
|
||||||
try {
|
|
||||||
conContext.outputRecord.deliver(source, offset, length);
|
|
||||||
} catch (SSLHandshakeException she) {
|
|
||||||
// may be record sequence number overflow
|
|
||||||
conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
|
|
||||||
} catch (IOException e) {
|
|
||||||
conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Is the sequence number is nearly overflow?
|
|
||||||
if (conContext.outputRecord.seqNumIsHuge()) {
|
|
||||||
tryKeyUpdate();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
private synchronized int readRecord() throws IOException {
|
|
||||||
while (!conContext.isInboundDone()) {
|
|
||||||
try {
|
try {
|
||||||
Plaintext plainText = decode(null);
|
Plaintext plainText = decode(null);
|
||||||
if ((plainText.contentType == ContentType.HANDSHAKE.id) &&
|
if ((plainText.contentType == ContentType.HANDSHAKE.id) &&
|
||||||
@ -816,7 +1069,7 @@ public final class SSLSocketImpl
|
|||||||
throw ssle;
|
throw ssle;
|
||||||
} catch (IOException ioe) {
|
} catch (IOException ioe) {
|
||||||
if (!(ioe instanceof SSLException)) {
|
if (!(ioe instanceof SSLException)) {
|
||||||
throw new SSLException("readRecord", ioe);
|
throw new SSLException("readHandshakeRecord", ioe);
|
||||||
} else {
|
} else {
|
||||||
throw ioe;
|
throw ioe;
|
||||||
}
|
}
|
||||||
@ -826,8 +1079,20 @@ public final class SSLSocketImpl
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
private synchronized int readRecord(ByteBuffer buffer) throws IOException {
|
/**
|
||||||
while (!conContext.isInboundDone()) {
|
* Read application data record. Used by AppInputStream only, but defined
|
||||||
|
* here so as to use the socket level synchronization.
|
||||||
|
*
|
||||||
|
* Note that the connection guarantees that handshake, alert, and change
|
||||||
|
* cipher spec data streams are handled as they arrive, so we never see
|
||||||
|
* them here.
|
||||||
|
*
|
||||||
|
* Note: Please be careful about the synchronization, and don't use this
|
||||||
|
* method other than in the AppInputStream class!
|
||||||
|
*/
|
||||||
|
private ByteBuffer readApplicationRecord(
|
||||||
|
ByteBuffer buffer) throws IOException {
|
||||||
|
while (!conContext.isInboundClosed()) {
|
||||||
/*
|
/*
|
||||||
* clean the buffer and check if it is too small, e.g. because
|
* clean the buffer and check if it is too small, e.g. because
|
||||||
* the AppInputStream did not have the chance to see the
|
* the AppInputStream did not have the chance to see the
|
||||||
@ -841,23 +1106,33 @@ public final class SSLSocketImpl
|
|||||||
handleEOF(null);
|
handleEOF(null);
|
||||||
|
|
||||||
// if no exception thrown
|
// if no exception thrown
|
||||||
return -1;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (buffer.remaining() < inLen) {
|
// Is this packet bigger than SSL/TLS normally allows?
|
||||||
return 0;
|
if (inLen > SSLRecord.maxLargeRecordSize) {
|
||||||
|
throw new SSLProtocolException(
|
||||||
|
"Illegal packet size: " + inLen);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (inLen > buffer.remaining()) {
|
||||||
|
buffer = ByteBuffer.allocate(inLen);
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
Plaintext plainText = decode(buffer);
|
Plaintext plainText;
|
||||||
if (plainText.contentType == ContentType.APPLICATION_DATA.id) {
|
synchronized (this) {
|
||||||
return buffer.position();
|
plainText = decode(buffer);
|
||||||
|
}
|
||||||
|
if (plainText.contentType == ContentType.APPLICATION_DATA.id &&
|
||||||
|
buffer.position() > 0) {
|
||||||
|
return buffer;
|
||||||
}
|
}
|
||||||
} catch (SSLException ssle) {
|
} catch (SSLException ssle) {
|
||||||
throw ssle;
|
throw ssle;
|
||||||
} catch (IOException ioe) {
|
} catch (IOException ioe) {
|
||||||
if (!(ioe instanceof SSLException)) {
|
if (!(ioe instanceof SSLException)) {
|
||||||
throw new SSLException("readRecord", ioe);
|
throw new SSLException("readApplicationRecord", ioe);
|
||||||
} else {
|
} else {
|
||||||
throw ioe;
|
throw ioe;
|
||||||
}
|
}
|
||||||
@ -867,7 +1142,7 @@ public final class SSLSocketImpl
|
|||||||
//
|
//
|
||||||
// couldn't read, due to some kind of error
|
// couldn't read, due to some kind of error
|
||||||
//
|
//
|
||||||
return -1;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
private Plaintext decode(ByteBuffer destination) throws IOException {
|
private Plaintext decode(ByteBuffer destination) throws IOException {
|
||||||
@ -887,7 +1162,8 @@ public final class SSLSocketImpl
|
|||||||
|
|
||||||
// Is the sequence number is nearly overflow?
|
// Is the sequence number is nearly overflow?
|
||||||
if (plainText != Plaintext.PLAINTEXT_NULL &&
|
if (plainText != Plaintext.PLAINTEXT_NULL &&
|
||||||
conContext.inputRecord.seqNumIsHuge()) {
|
(conContext.inputRecord.seqNumIsHuge() ||
|
||||||
|
conContext.inputRecord.readCipher.atKeyLimit())) {
|
||||||
tryKeyUpdate();
|
tryKeyUpdate();
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -895,69 +1171,28 @@ public final class SSLSocketImpl
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Try renegotiation or key update for sequence number wrap.
|
* Try key update for sequence number wrap or key usage limit.
|
||||||
*
|
*
|
||||||
* Note that in order to maintain the handshake status properly, we check
|
* Note that in order to maintain the handshake status properly, we check
|
||||||
* the sequence number after the last record reading/writing process. As
|
* the sequence number and key usage limit after the last record
|
||||||
* we request renegotiation or close the connection for wrapped sequence
|
* reading/writing process.
|
||||||
|
*
|
||||||
|
* As we request renegotiation or close the connection for wrapped sequence
|
||||||
* number when there is enough sequence number space left to handle a few
|
* number when there is enough sequence number space left to handle a few
|
||||||
* more records, so the sequence number of the last record cannot be
|
* more records, so the sequence number of the last record cannot be
|
||||||
* wrapped.
|
* wrapped.
|
||||||
*/
|
*/
|
||||||
private void tryKeyUpdate() throws IOException {
|
private void tryKeyUpdate() throws IOException {
|
||||||
// Don't bother to kickstart the renegotiation or key update when the
|
// Don't bother to kickstart if handshaking is in progress, or if the
|
||||||
// local is asking for it.
|
// connection is not duplex-open.
|
||||||
if ((conContext.handshakeContext == null) &&
|
if ((conContext.handshakeContext == null) &&
|
||||||
!conContext.isClosed() && !conContext.isBroken) {
|
!conContext.isOutboundClosed() &&
|
||||||
|
!conContext.isInboundClosed() &&
|
||||||
|
!conContext.isBroken) {
|
||||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
SSLLogger.finest("key update to wrap sequence number");
|
SSLLogger.finest("trigger key update");
|
||||||
}
|
|
||||||
conContext.keyUpdate();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
private void closeSocket(boolean selfInitiated) throws IOException {
|
|
||||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
|
||||||
SSLLogger.fine("close the ssl connection " +
|
|
||||||
(selfInitiated ? "(initiative)" : "(passive)"));
|
|
||||||
}
|
|
||||||
|
|
||||||
if (autoClose || !isLayered()) {
|
|
||||||
super.close();
|
|
||||||
} else if (selfInitiated) {
|
|
||||||
// wait for close_notify alert to clear input stream.
|
|
||||||
waitForClose();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Wait for close_notify alert for a graceful closure.
|
|
||||||
*
|
|
||||||
* [RFC 5246] If the application protocol using TLS provides that any
|
|
||||||
* data may be carried over the underlying transport after the TLS
|
|
||||||
* connection is closed, the TLS implementation must receive the responding
|
|
||||||
* close_notify alert before indicating to the application layer that
|
|
||||||
* the TLS connection has ended. If the application protocol will not
|
|
||||||
* transfer any additional data, but will only close the underlying
|
|
||||||
* transport connection, then the implementation MAY choose to close the
|
|
||||||
* transport without waiting for the responding close_notify.
|
|
||||||
*/
|
|
||||||
private void waitForClose() throws IOException {
|
|
||||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
|
||||||
SSLLogger.fine("wait for close_notify or alert");
|
|
||||||
}
|
|
||||||
|
|
||||||
while (!conContext.isInboundDone()) {
|
|
||||||
try {
|
|
||||||
Plaintext plainText = decode(null);
|
|
||||||
// discard and continue
|
|
||||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
|
||||||
SSLLogger.finest(
|
|
||||||
"discard plaintext while waiting for close", plainText);
|
|
||||||
}
|
|
||||||
} catch (Exception e) { // including RuntimeException
|
|
||||||
handleException(e);
|
|
||||||
}
|
}
|
||||||
|
startHandshake();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1040,41 +1275,6 @@ public final class SSLSocketImpl
|
|||||||
conContext.sslConfig.serverNames, host);
|
conContext.sslConfig.serverNames, host);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Return whether we have reached end-of-file.
|
|
||||||
*
|
|
||||||
* If the socket is not connected, has been shutdown because of an error
|
|
||||||
* or has been closed, throw an Exception.
|
|
||||||
*/
|
|
||||||
synchronized boolean checkEOF() throws IOException {
|
|
||||||
if (conContext.isClosed()) {
|
|
||||||
return true;
|
|
||||||
} else if (conContext.isInputCloseNotified || conContext.isBroken) {
|
|
||||||
if (conContext.closeReason == null) {
|
|
||||||
return true;
|
|
||||||
} else {
|
|
||||||
throw new SSLException(
|
|
||||||
"Connection has been shutdown: " + conContext.closeReason,
|
|
||||||
conContext.closeReason);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Check if we can write data to this socket.
|
|
||||||
*/
|
|
||||||
synchronized void checkWrite() throws IOException {
|
|
||||||
if (checkEOF() || conContext.isOutboundClosed()) {
|
|
||||||
// we are at EOF, write must throw Exception
|
|
||||||
throw new SocketException("Connection closed");
|
|
||||||
}
|
|
||||||
if (!isConnected) {
|
|
||||||
throw new SocketException("Socket is not connected");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Handle an exception.
|
* Handle an exception.
|
||||||
*
|
*
|
||||||
@ -1132,7 +1332,7 @@ public final class SSLSocketImpl
|
|||||||
} else {
|
} else {
|
||||||
// treat as if we had received a close_notify
|
// treat as if we had received a close_notify
|
||||||
conContext.isInputCloseNotified = true;
|
conContext.isInputCloseNotified = true;
|
||||||
conContext.transport.shutdown();
|
shutdownInput();
|
||||||
|
|
||||||
return Plaintext.PLAINTEXT_NULL;
|
return Plaintext.PLAINTEXT_NULL;
|
||||||
}
|
}
|
||||||
@ -1174,4 +1374,51 @@ public final class SSLSocketImpl
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private void closeSocket(boolean selfInitiated) throws IOException {
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.fine("close the SSL connection " +
|
||||||
|
(selfInitiated ? "(initiative)" : "(passive)"));
|
||||||
|
}
|
||||||
|
|
||||||
|
if (autoClose || !isLayered()) {
|
||||||
|
super.close();
|
||||||
|
} else if (selfInitiated) {
|
||||||
|
if (!conContext.isInboundClosed() && !isInputShutdown()) {
|
||||||
|
// wait for close_notify alert to clear input stream.
|
||||||
|
waitForClose();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Wait for close_notify alert for a graceful closure.
|
||||||
|
*
|
||||||
|
* [RFC 5246] If the application protocol using TLS provides that any
|
||||||
|
* data may be carried over the underlying transport after the TLS
|
||||||
|
* connection is closed, the TLS implementation must receive the responding
|
||||||
|
* close_notify alert before indicating to the application layer that
|
||||||
|
* the TLS connection has ended. If the application protocol will not
|
||||||
|
* transfer any additional data, but will only close the underlying
|
||||||
|
* transport connection, then the implementation MAY choose to close the
|
||||||
|
* transport without waiting for the responding close_notify.
|
||||||
|
*/
|
||||||
|
private void waitForClose() throws IOException {
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.fine("wait for close_notify or alert");
|
||||||
|
}
|
||||||
|
|
||||||
|
while (!conContext.isInboundClosed()) {
|
||||||
|
try {
|
||||||
|
Plaintext plainText = decode(null);
|
||||||
|
// discard and continue
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.finest(
|
||||||
|
"discard plaintext while waiting for close", plainText);
|
||||||
|
}
|
||||||
|
} catch (Exception e) { // including RuntimeException
|
||||||
|
handleException(e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -38,8 +38,6 @@ import javax.net.ssl.SSLHandshakeException;
|
|||||||
import javax.net.ssl.SSLProtocolException;
|
import javax.net.ssl.SSLProtocolException;
|
||||||
|
|
||||||
import sun.security.ssl.SSLCipher.SSLReadCipher;
|
import sun.security.ssl.SSLCipher.SSLReadCipher;
|
||||||
import sun.security.ssl.KeyUpdate.KeyUpdateMessage;
|
|
||||||
import sun.security.ssl.KeyUpdate.KeyUpdateRequest;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* {@code InputRecord} implementation for {@code SSLSocket}.
|
* {@code InputRecord} implementation for {@code SSLSocket}.
|
||||||
@ -348,20 +346,6 @@ final class SSLSocketInputRecord extends InputRecord implements SSLRecord {
|
|||||||
return plaintexts.toArray(new Plaintext[0]);
|
return plaintexts.toArray(new Plaintext[0]);
|
||||||
}
|
}
|
||||||
|
|
||||||
// KeyLimit check during application data.
|
|
||||||
// atKeyLimit() inactive when limits not checked, tc set when limits
|
|
||||||
// are active.
|
|
||||||
|
|
||||||
if (readCipher.atKeyLimit()) {
|
|
||||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
|
||||||
SSLLogger.fine("KeyUpdate: triggered, read side.");
|
|
||||||
}
|
|
||||||
|
|
||||||
PostHandshakeContext p = new PostHandshakeContext(tc);
|
|
||||||
KeyUpdate.handshakeProducer.produce(p,
|
|
||||||
new KeyUpdateMessage(p, KeyUpdateRequest.REQUESTED));
|
|
||||||
}
|
|
||||||
|
|
||||||
return new Plaintext[] {
|
return new Plaintext[] {
|
||||||
new Plaintext(contentType,
|
new Plaintext(contentType,
|
||||||
majorVersion, minorVersion, -1, -1L, fragment)
|
majorVersion, minorVersion, -1, -1L, fragment)
|
||||||
|
@ -28,12 +28,10 @@ package sun.security.ssl;
|
|||||||
import java.io.ByteArrayInputStream;
|
import java.io.ByteArrayInputStream;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.io.OutputStream;
|
import java.io.OutputStream;
|
||||||
|
import java.net.SocketException;
|
||||||
import java.nio.ByteBuffer;
|
import java.nio.ByteBuffer;
|
||||||
import javax.net.ssl.SSLHandshakeException;
|
import javax.net.ssl.SSLHandshakeException;
|
||||||
|
|
||||||
import sun.security.ssl.KeyUpdate.KeyUpdateMessage;
|
|
||||||
import sun.security.ssl.KeyUpdate.KeyUpdateRequest;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* {@code OutputRecord} implementation for {@code SSLSocket}.
|
* {@code OutputRecord} implementation for {@code SSLSocket}.
|
||||||
*/
|
*/
|
||||||
@ -53,7 +51,16 @@ final class SSLSocketOutputRecord extends OutputRecord implements SSLRecord {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
void encodeAlert(byte level, byte description) throws IOException {
|
synchronized void encodeAlert(
|
||||||
|
byte level, byte description) throws IOException {
|
||||||
|
if (isClosed()) {
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.warning("outbound has closed, ignore outbound " +
|
||||||
|
"alert message: " + Alert.nameOf(description));
|
||||||
|
}
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
// use the buf of ByteArrayOutputStream
|
// use the buf of ByteArrayOutputStream
|
||||||
int position = headerSize + writeCipher.getExplicitNonceSize();
|
int position = headerSize + writeCipher.getExplicitNonceSize();
|
||||||
count = position;
|
count = position;
|
||||||
@ -63,6 +70,7 @@ final class SSLSocketOutputRecord extends OutputRecord implements SSLRecord {
|
|||||||
if (SSLLogger.isOn && SSLLogger.isOn("record")) {
|
if (SSLLogger.isOn && SSLLogger.isOn("record")) {
|
||||||
SSLLogger.fine("WRITE: " + protocolVersion +
|
SSLLogger.fine("WRITE: " + protocolVersion +
|
||||||
" " + ContentType.ALERT.name +
|
" " + ContentType.ALERT.name +
|
||||||
|
"(" + Alert.nameOf(description) + ")" +
|
||||||
", length = " + (count - headerSize));
|
", length = " + (count - headerSize));
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -83,8 +91,17 @@ final class SSLSocketOutputRecord extends OutputRecord implements SSLRecord {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
void encodeHandshake(byte[] source,
|
synchronized void encodeHandshake(byte[] source,
|
||||||
int offset, int length) throws IOException {
|
int offset, int length) throws IOException {
|
||||||
|
if (isClosed()) {
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.warning("outbound has closed, ignore outbound " +
|
||||||
|
"handshake message",
|
||||||
|
ByteBuffer.wrap(source, offset, length));
|
||||||
|
}
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
if (firstMessage) {
|
if (firstMessage) {
|
||||||
firstMessage = false;
|
firstMessage = false;
|
||||||
|
|
||||||
@ -182,7 +199,14 @@ final class SSLSocketOutputRecord extends OutputRecord implements SSLRecord {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
void encodeChangeCipherSpec() throws IOException {
|
synchronized void encodeChangeCipherSpec() throws IOException {
|
||||||
|
if (isClosed()) {
|
||||||
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
|
SSLLogger.warning("outbound has closed, ignore outbound " +
|
||||||
|
"change_cipher_spec message");
|
||||||
|
}
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
// use the buf of ByteArrayOutputStream
|
// use the buf of ByteArrayOutputStream
|
||||||
int position = headerSize + writeCipher.getExplicitNonceSize();
|
int position = headerSize + writeCipher.getExplicitNonceSize();
|
||||||
@ -207,7 +231,7 @@ final class SSLSocketOutputRecord extends OutputRecord implements SSLRecord {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void flush() throws IOException {
|
public synchronized void flush() throws IOException {
|
||||||
int position = headerSize + writeCipher.getExplicitNonceSize();
|
int position = headerSize + writeCipher.getExplicitNonceSize();
|
||||||
if (count <= position) {
|
if (count <= position) {
|
||||||
return;
|
return;
|
||||||
@ -237,7 +261,12 @@ final class SSLSocketOutputRecord extends OutputRecord implements SSLRecord {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
void deliver(byte[] source, int offset, int length) throws IOException {
|
synchronized void deliver(
|
||||||
|
byte[] source, int offset, int length) throws IOException {
|
||||||
|
if (isClosed()) {
|
||||||
|
throw new SocketException("Connection or outbound has been closed");
|
||||||
|
}
|
||||||
|
|
||||||
if (writeCipher.authenticator.seqNumOverflow()) {
|
if (writeCipher.authenticator.seqNumOverflow()) {
|
||||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
SSLLogger.fine(
|
SSLLogger.fine(
|
||||||
@ -304,23 +333,11 @@ final class SSLSocketOutputRecord extends OutputRecord implements SSLRecord {
|
|||||||
}
|
}
|
||||||
|
|
||||||
offset += fragLen;
|
offset += fragLen;
|
||||||
|
|
||||||
// atKeyLimit() inactive when limits not checked, tc set when limits
|
|
||||||
// are active.
|
|
||||||
if (writeCipher.atKeyLimit()) {
|
|
||||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
|
||||||
SSLLogger.fine("KeyUpdate: triggered, write side.");
|
|
||||||
}
|
|
||||||
|
|
||||||
PostHandshakeContext p = new PostHandshakeContext(tc);
|
|
||||||
KeyUpdate.handshakeProducer.produce(p,
|
|
||||||
new KeyUpdateMessage(p, KeyUpdateRequest.REQUESTED));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
void setDeliverStream(OutputStream outputStream) {
|
synchronized void setDeliverStream(OutputStream outputStream) {
|
||||||
this.deliverStream = outputStream;
|
this.deliverStream = outputStream;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -347,7 +364,7 @@ final class SSLSocketOutputRecord extends OutputRecord implements SSLRecord {
|
|||||||
* This avoids issues in the outbound direction. For a full fix,
|
* This avoids issues in the outbound direction. For a full fix,
|
||||||
* the peer must have similar protections.
|
* the peer must have similar protections.
|
||||||
*/
|
*/
|
||||||
boolean needToSplitPayload() {
|
private boolean needToSplitPayload() {
|
||||||
return (!protocolVersion.useTLS11PlusSpec()) &&
|
return (!protocolVersion.useTLS11PlusSpec()) &&
|
||||||
writeCipher.isCBCMode() && !isFirstAppOutputRecord &&
|
writeCipher.isCBCMode() && !isFirstAppOutputRecord &&
|
||||||
Record.enableCBCProtection;
|
Record.enableCBCProtection;
|
||||||
|
@ -25,7 +25,6 @@
|
|||||||
|
|
||||||
package sun.security.ssl;
|
package sun.security.ssl;
|
||||||
|
|
||||||
import java.io.Closeable;
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.security.AccessControlContext;
|
import java.security.AccessControlContext;
|
||||||
import java.security.AccessController;
|
import java.security.AccessController;
|
||||||
@ -45,7 +44,7 @@ import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
|
|||||||
/**
|
/**
|
||||||
* SSL/(D)TLS transportation context.
|
* SSL/(D)TLS transportation context.
|
||||||
*/
|
*/
|
||||||
class TransportContext implements ConnectionContext, Closeable {
|
class TransportContext implements ConnectionContext {
|
||||||
final SSLTransport transport;
|
final SSLTransport transport;
|
||||||
|
|
||||||
// registered plaintext consumers
|
// registered plaintext consumers
|
||||||
@ -62,7 +61,7 @@ class TransportContext implements ConnectionContext, Closeable {
|
|||||||
boolean isNegotiated = false;
|
boolean isNegotiated = false;
|
||||||
boolean isBroken = false;
|
boolean isBroken = false;
|
||||||
boolean isInputCloseNotified = false;
|
boolean isInputCloseNotified = false;
|
||||||
boolean isOutputCloseNotified = false;
|
boolean peerUserCanceled = false;
|
||||||
Exception closeReason = null;
|
Exception closeReason = null;
|
||||||
|
|
||||||
// negotiated security parameters
|
// negotiated security parameters
|
||||||
@ -229,10 +228,6 @@ class TransportContext implements ConnectionContext, Closeable {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
void keyUpdate() throws IOException {
|
|
||||||
kickstart();
|
|
||||||
}
|
|
||||||
|
|
||||||
boolean isPostHandshakeContext() {
|
boolean isPostHandshakeContext() {
|
||||||
return handshakeContext != null &&
|
return handshakeContext != null &&
|
||||||
(handshakeContext instanceof PostHandshakeContext);
|
(handshakeContext instanceof PostHandshakeContext);
|
||||||
@ -348,7 +343,7 @@ class TransportContext implements ConnectionContext, Closeable {
|
|||||||
//
|
//
|
||||||
// If we haven't even started handshaking yet, or we are the recipient
|
// If we haven't even started handshaking yet, or we are the recipient
|
||||||
// of a fatal alert, no need to generate a fatal close alert.
|
// of a fatal alert, no need to generate a fatal close alert.
|
||||||
if (!recvFatalAlert && !isOutboundDone() && !isBroken &&
|
if (!recvFatalAlert && !isOutboundClosed() && !isBroken &&
|
||||||
(isNegotiated || handshakeContext != null)) {
|
(isNegotiated || handshakeContext != null)) {
|
||||||
try {
|
try {
|
||||||
outputRecord.encodeAlert(Alert.Level.FATAL.level, alert.id);
|
outputRecord.encodeAlert(Alert.Level.FATAL.level, alert.id);
|
||||||
@ -436,35 +431,26 @@ class TransportContext implements ConnectionContext, Closeable {
|
|||||||
return outputRecord.isClosed();
|
return outputRecord.isClosed();
|
||||||
}
|
}
|
||||||
|
|
||||||
boolean isInboundDone() {
|
boolean isInboundClosed() {
|
||||||
return inputRecord.isClosed();
|
return inputRecord.isClosed();
|
||||||
}
|
}
|
||||||
|
|
||||||
boolean isClosed() {
|
// Close inbound, no more data should be delivered to the underlying
|
||||||
return isOutboundClosed() && isInboundDone();
|
// transportation connection.
|
||||||
}
|
void closeInbound() throws SSLException {
|
||||||
|
if (isInboundClosed()) {
|
||||||
@Override
|
|
||||||
public void close() throws IOException {
|
|
||||||
if (!isOutboundDone()) {
|
|
||||||
closeOutbound();
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!isInboundDone()) {
|
|
||||||
closeInbound();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
void closeInbound() {
|
|
||||||
if (isInboundDone()) {
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
if (isInputCloseNotified) { // passive close
|
// Important note: check if the initial handshake is started at
|
||||||
passiveInboundClose();
|
// first so that the passiveInboundClose() implementation need not
|
||||||
} else { // initiative close
|
// to consider the case any more.
|
||||||
|
if (!isInputCloseNotified) {
|
||||||
|
// the initial handshake is not started
|
||||||
initiateInboundClose();
|
initiateInboundClose();
|
||||||
|
} else {
|
||||||
|
passiveInboundClose();
|
||||||
}
|
}
|
||||||
} catch (IOException ioe) {
|
} catch (IOException ioe) {
|
||||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
|
||||||
@ -473,8 +459,58 @@ class TransportContext implements ConnectionContext, Closeable {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Close the connection passively. The closure could be kickoff by
|
||||||
|
// receiving a close_notify alert or reaching end_of_file of the socket.
|
||||||
|
//
|
||||||
|
// Note that this method is called only if the initial handshake has
|
||||||
|
// started or completed.
|
||||||
|
private void passiveInboundClose() throws IOException {
|
||||||
|
if (!isInboundClosed()) {
|
||||||
|
inputRecord.close();
|
||||||
|
}
|
||||||
|
|
||||||
|
// For TLS 1.2 and prior version, it is required to respond with
|
||||||
|
// a close_notify alert of its own and close down the connection
|
||||||
|
// immediately, discarding any pending writes.
|
||||||
|
if (!isOutboundClosed()) {
|
||||||
|
boolean needCloseNotify = SSLConfiguration.acknowledgeCloseNotify;
|
||||||
|
if (!needCloseNotify) {
|
||||||
|
if (isNegotiated) {
|
||||||
|
if (!protocolVersion.useTLS13PlusSpec()) {
|
||||||
|
needCloseNotify = true;
|
||||||
|
}
|
||||||
|
} else if (handshakeContext != null) { // initial handshake
|
||||||
|
ProtocolVersion pv = handshakeContext.negotiatedProtocol;
|
||||||
|
if (pv == null || (!pv.useTLS13PlusSpec())) {
|
||||||
|
needCloseNotify = true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (needCloseNotify) {
|
||||||
|
synchronized (outputRecord) {
|
||||||
|
try {
|
||||||
|
// send a close_notify alert
|
||||||
|
warning(Alert.CLOSE_NOTIFY);
|
||||||
|
} finally {
|
||||||
|
outputRecord.close();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Initiate a inbound close when the handshake is not started.
|
||||||
|
private void initiateInboundClose() throws IOException {
|
||||||
|
if (!isInboundClosed()) {
|
||||||
|
inputRecord.close();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Close outbound, no more data should be received from the underlying
|
||||||
|
// transportation connection.
|
||||||
void closeOutbound() {
|
void closeOutbound() {
|
||||||
if (isOutboundDone()) {
|
if (isOutboundClosed()) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -487,89 +523,29 @@ class TransportContext implements ConnectionContext, Closeable {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Close the connection passively. The closure could be kickoff by
|
|
||||||
// receiving a close_notify alert or reaching end_of_file of the socket.
|
|
||||||
private void passiveInboundClose() throws IOException {
|
|
||||||
if (!isInboundDone()) {
|
|
||||||
inputRecord.close();
|
|
||||||
}
|
|
||||||
|
|
||||||
// For TLS 1.2 and prior version, it is required to respond with
|
|
||||||
// a close_notify alert of its own and close down the connection
|
|
||||||
// immediately, discarding any pending writes.
|
|
||||||
if (!isOutboundDone() && !isOutputCloseNotified) {
|
|
||||||
try {
|
|
||||||
// send a close_notify alert
|
|
||||||
warning(Alert.CLOSE_NOTIFY);
|
|
||||||
} finally {
|
|
||||||
// any data received after a closure alert is ignored.
|
|
||||||
isOutputCloseNotified = true;
|
|
||||||
outputRecord.close();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
transport.shutdown();
|
|
||||||
}
|
|
||||||
|
|
||||||
// Initiate a close by sending a close_notify alert.
|
|
||||||
private void initiateInboundClose() throws IOException {
|
|
||||||
// TLS 1.3 does not define how to initiate and close a TLS connection
|
|
||||||
// gracefully. We will always send a close_notify alert, and close
|
|
||||||
// the underlying transportation layer if needed.
|
|
||||||
if (!isInboundDone() && !isInputCloseNotified) {
|
|
||||||
try {
|
|
||||||
// send a close_notify alert
|
|
||||||
warning(Alert.CLOSE_NOTIFY);
|
|
||||||
} finally {
|
|
||||||
// any data received after a closure alert is ignored.
|
|
||||||
isInputCloseNotified = true;
|
|
||||||
inputRecord.close();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// For TLS 1.3, input closure is independent from output closure. Both
|
|
||||||
// parties need not wait to receive a "close_notify" alert before
|
|
||||||
// closing their read side of the connection.
|
|
||||||
//
|
|
||||||
// For TLS 1.2 and prior version, it is not required for the initiator
|
|
||||||
// of the close to wait for the responding close_notify alert before
|
|
||||||
// closing the read side of the connection.
|
|
||||||
try {
|
|
||||||
transport.shutdown();
|
|
||||||
} finally {
|
|
||||||
if (!isOutboundDone()) {
|
|
||||||
outputRecord.close();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Initiate a close by sending a close_notify alert.
|
// Initiate a close by sending a close_notify alert.
|
||||||
private void initiateOutboundClose() throws IOException {
|
private void initiateOutboundClose() throws IOException {
|
||||||
if (!isOutboundDone() && !isOutputCloseNotified) {
|
boolean useUserCanceled = false;
|
||||||
try { // close outputRecord
|
if (!isNegotiated && (handshakeContext != null) && !peerUserCanceled) {
|
||||||
|
// initial handshake
|
||||||
|
useUserCanceled = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Need a lock here so that the user_canceled alert and the
|
||||||
|
// close_notify alert can be delivered together.
|
||||||
|
synchronized (outputRecord) {
|
||||||
|
try {
|
||||||
|
// send a user_canceled alert if needed.
|
||||||
|
if (useUserCanceled) {
|
||||||
|
warning(Alert.USER_CANCELED);
|
||||||
|
}
|
||||||
|
|
||||||
// send a close_notify alert
|
// send a close_notify alert
|
||||||
warning(Alert.CLOSE_NOTIFY);
|
warning(Alert.CLOSE_NOTIFY);
|
||||||
} finally {
|
} finally {
|
||||||
// any data received after a closure alert is ignored.
|
|
||||||
isOutputCloseNotified = true;
|
|
||||||
outputRecord.close();
|
outputRecord.close();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// It is not required for the initiator of the close to wait for the
|
|
||||||
// responding close_notify alert before closing the read side of the
|
|
||||||
// connection. However, if the application protocol using TLS
|
|
||||||
// provides that any data may be carried over the underlying transport
|
|
||||||
// after the TLS connection is closed, the TLS implementation MUST
|
|
||||||
// receive a "close_notify" alert before indicating end-of-data to the
|
|
||||||
// application-layer.
|
|
||||||
try {
|
|
||||||
transport.shutdown();
|
|
||||||
} finally {
|
|
||||||
if (!isInboundDone()) {
|
|
||||||
inputRecord.close();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Note; HandshakeStatus.FINISHED status is retrieved in other places.
|
// Note; HandshakeStatus.FINISHED status is retrieved in other places.
|
||||||
@ -578,25 +554,28 @@ class TransportContext implements ConnectionContext, Closeable {
|
|||||||
// If no handshaking, special case to wrap alters or
|
// If no handshaking, special case to wrap alters or
|
||||||
// post-handshake messages.
|
// post-handshake messages.
|
||||||
return HandshakeStatus.NEED_WRAP;
|
return HandshakeStatus.NEED_WRAP;
|
||||||
|
} else if (isOutboundClosed() && isInboundClosed()) {
|
||||||
|
return HandshakeStatus.NOT_HANDSHAKING;
|
||||||
} else if (handshakeContext != null) {
|
} else if (handshakeContext != null) {
|
||||||
if (!handshakeContext.delegatedActions.isEmpty()) {
|
if (!handshakeContext.delegatedActions.isEmpty()) {
|
||||||
return HandshakeStatus.NEED_TASK;
|
return HandshakeStatus.NEED_TASK;
|
||||||
} else if (sslContext.isDTLS() &&
|
} else if (!isInboundClosed()) {
|
||||||
!inputRecord.isEmpty()) {
|
if (sslContext.isDTLS() &&
|
||||||
return HandshakeStatus.NEED_UNWRAP_AGAIN;
|
!inputRecord.isEmpty()) {
|
||||||
} else {
|
return HandshakeStatus.NEED_UNWRAP_AGAIN;
|
||||||
return HandshakeStatus.NEED_UNWRAP;
|
} else {
|
||||||
|
return HandshakeStatus.NEED_UNWRAP;
|
||||||
|
}
|
||||||
|
} else if (!isOutboundClosed()) {
|
||||||
|
// Special case that the inbound was closed, but outbound open.
|
||||||
|
return HandshakeStatus.NEED_WRAP;
|
||||||
}
|
}
|
||||||
} else if (isOutboundDone() && !isInboundDone()) {
|
} else if (isOutboundClosed() && !isInboundClosed()) {
|
||||||
/*
|
// Special case that the outbound was closed, but inbound open.
|
||||||
* Special case where we're closing, but
|
|
||||||
* still need the close_notify before we
|
|
||||||
* can officially be closed.
|
|
||||||
*
|
|
||||||
* Note isOutboundDone is taken care of by
|
|
||||||
* hasOutboundData() above.
|
|
||||||
*/
|
|
||||||
return HandshakeStatus.NEED_UNWRAP;
|
return HandshakeStatus.NEED_UNWRAP;
|
||||||
|
} else if (!isOutboundClosed() && isInboundClosed()) {
|
||||||
|
// Special case that the inbound was closed, but outbound open.
|
||||||
|
return HandshakeStatus.NEED_WRAP;
|
||||||
}
|
}
|
||||||
|
|
||||||
return HandshakeStatus.NOT_HANDSHAKING;
|
return HandshakeStatus.NOT_HANDSHAKING;
|
||||||
@ -607,8 +586,10 @@ class TransportContext implements ConnectionContext, Closeable {
|
|||||||
outputRecord.tc = this;
|
outputRecord.tc = this;
|
||||||
inputRecord.tc = this;
|
inputRecord.tc = this;
|
||||||
cipherSuite = handshakeContext.negotiatedCipherSuite;
|
cipherSuite = handshakeContext.negotiatedCipherSuite;
|
||||||
inputRecord.readCipher.baseSecret = handshakeContext.baseReadSecret;
|
inputRecord.readCipher.baseSecret =
|
||||||
outputRecord.writeCipher.baseSecret = handshakeContext.baseWriteSecret;
|
handshakeContext.baseReadSecret;
|
||||||
|
outputRecord.writeCipher.baseSecret =
|
||||||
|
handshakeContext.baseWriteSecret;
|
||||||
}
|
}
|
||||||
|
|
||||||
handshakeContext = null;
|
handshakeContext = null;
|
||||||
|
@ -35,6 +35,7 @@
|
|||||||
* @build Http2TestServer
|
* @build Http2TestServer
|
||||||
* @build jdk.testlibrary.SimpleSSLContext
|
* @build jdk.testlibrary.SimpleSSLContext
|
||||||
* @run testng/othervm
|
* @run testng/othervm
|
||||||
|
* -Djdk.tls.acknowledgeCloseNotify=true
|
||||||
* -Djdk.httpclient.HttpClient.log=trace,headers,requests
|
* -Djdk.httpclient.HttpClient.log=trace,headers,requests
|
||||||
* CookieHeaderTest
|
* CookieHeaderTest
|
||||||
*/
|
*/
|
||||||
|
@ -33,6 +33,7 @@
|
|||||||
* java.net.http/jdk.internal.net.http.frame
|
* java.net.http/jdk.internal.net.http.frame
|
||||||
* java.net.http/jdk.internal.net.http.hpack
|
* java.net.http/jdk.internal.net.http.hpack
|
||||||
* @run testng/othervm
|
* @run testng/othervm
|
||||||
|
* -Djdk.tls.acknowledgeCloseNotify=true
|
||||||
* -Djdk.internal.httpclient.debug=true
|
* -Djdk.internal.httpclient.debug=true
|
||||||
* -Djdk.httpclient.HttpClient.log=headers,errors EncodedCharsInURI
|
* -Djdk.httpclient.HttpClient.log=headers,errors EncodedCharsInURI
|
||||||
*/
|
*/
|
||||||
|
@ -31,7 +31,7 @@
|
|||||||
* java.net.http/jdk.internal.net.http.common
|
* java.net.http/jdk.internal.net.http.common
|
||||||
* java.net.http/jdk.internal.net.http.frame
|
* java.net.http/jdk.internal.net.http.frame
|
||||||
* java.net.http/jdk.internal.net.http.hpack
|
* java.net.http/jdk.internal.net.http.hpack
|
||||||
* @run testng/othervm ServerCloseTest
|
* @run testng/othervm -Djdk.tls.acknowledgeCloseNotify=true ServerCloseTest
|
||||||
*/
|
*/
|
||||||
//* -Djdk.internal.httpclient.debug=true
|
//* -Djdk.internal.httpclient.debug=true
|
||||||
|
|
||||||
|
@ -191,6 +191,7 @@ public class SSLEngineAlpnTest {
|
|||||||
if (debug) {
|
if (debug) {
|
||||||
System.setProperty("javax.net.debug", "all");
|
System.setProperty("javax.net.debug", "all");
|
||||||
}
|
}
|
||||||
|
System.setProperty("jdk.tls.acknowledgeCloseNotify", "true");
|
||||||
System.out.println("Test args: " + Arrays.toString(args));
|
System.out.println("Test args: " + Arrays.toString(args));
|
||||||
|
|
||||||
// Validate parameters
|
// Validate parameters
|
||||||
@ -358,6 +359,7 @@ public class SSLEngineAlpnTest {
|
|||||||
|
|
||||||
log("\tClosing clientEngine's *OUTBOUND*...");
|
log("\tClosing clientEngine's *OUTBOUND*...");
|
||||||
clientEngine.closeOutbound();
|
clientEngine.closeOutbound();
|
||||||
|
// serverEngine.closeOutbound();
|
||||||
dataDone = true;
|
dataDone = true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -25,7 +25,14 @@
|
|||||||
* @test
|
* @test
|
||||||
* @bug 5019096
|
* @bug 5019096
|
||||||
* @summary Add scatter/gather APIs for SSLEngine
|
* @summary Add scatter/gather APIs for SSLEngine
|
||||||
*
|
* @run main/othervm Arrays SSL
|
||||||
|
* @run main/othervm Arrays TLS
|
||||||
|
* @run main/othervm Arrays SSLv3
|
||||||
|
* @run main/othervm Arrays TLSv1
|
||||||
|
* @run main/othervm Arrays TLSv1.1
|
||||||
|
* @run main/othervm Arrays TLSv1.2
|
||||||
|
* @run main/othervm Arrays TLSv1.3
|
||||||
|
* @run main/othervm -Djdk.tls.acknowledgeCloseNotify=true Arrays TLSv1.3
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import javax.net.ssl.*;
|
import javax.net.ssl.*;
|
||||||
@ -37,6 +44,8 @@ import java.nio.*;
|
|||||||
public class Arrays {
|
public class Arrays {
|
||||||
|
|
||||||
private static boolean debug = false;
|
private static boolean debug = false;
|
||||||
|
private static boolean acknowledgeCloseNotify =
|
||||||
|
"true".equals(System.getProperty("jdk.tls.acknowledgeCloseNotify"));
|
||||||
|
|
||||||
private SSLContext sslc;
|
private SSLContext sslc;
|
||||||
private SSLEngine ssle1; // client
|
private SSLEngine ssle1; // client
|
||||||
@ -131,11 +140,13 @@ public class Arrays {
|
|||||||
|
|
||||||
for (int i = 0; i < appOutArray1.length; i++) {
|
for (int i = 0; i < appOutArray1.length; i++) {
|
||||||
if (appOutArray1[i].remaining() != 0) {
|
if (appOutArray1[i].remaining() != 0) {
|
||||||
|
log("1st out not done");
|
||||||
done = false;
|
done = false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (appOut2.remaining() != 0) {
|
if (appOut2.remaining() != 0) {
|
||||||
|
log("2nd out not done");
|
||||||
done = false;
|
done = false;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -145,6 +156,19 @@ public class Arrays {
|
|||||||
appOutArray1[i].rewind();
|
appOutArray1[i].rewind();
|
||||||
}
|
}
|
||||||
ssle1.closeOutbound();
|
ssle1.closeOutbound();
|
||||||
|
String protocol = ssle2.getSession().getProtocol();
|
||||||
|
if (!acknowledgeCloseNotify) {
|
||||||
|
switch (ssle2.getSession().getProtocol()) {
|
||||||
|
case "SSLv3":
|
||||||
|
case "TLSv1":
|
||||||
|
case "TLSv1.1":
|
||||||
|
case "TLSv1.2":
|
||||||
|
break;
|
||||||
|
default: // TLSv1.3
|
||||||
|
// TLS 1.3, half-close only.
|
||||||
|
ssle2.closeOutbound();
|
||||||
|
}
|
||||||
|
}
|
||||||
dataDone = true;
|
dataDone = true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -155,7 +179,9 @@ public class Arrays {
|
|||||||
checkTransfer(appInArray1, appOut2);
|
checkTransfer(appInArray1, appOut2);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static String contextVersion;
|
||||||
public static void main(String args[]) throws Exception {
|
public static void main(String args[]) throws Exception {
|
||||||
|
contextVersion = args[0];
|
||||||
|
|
||||||
Arrays test;
|
Arrays test;
|
||||||
|
|
||||||
@ -165,7 +191,7 @@ public class Arrays {
|
|||||||
|
|
||||||
test.runTest();
|
test.runTest();
|
||||||
|
|
||||||
System.out.println("Test Passed.");
|
System.err.println("Test Passed.");
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -198,7 +224,7 @@ public class Arrays {
|
|||||||
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
|
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
|
||||||
tmf.init(ts);
|
tmf.init(ts);
|
||||||
|
|
||||||
SSLContext sslCtx = SSLContext.getInstance("TLS");
|
SSLContext sslCtx = SSLContext.getInstance(contextVersion);
|
||||||
|
|
||||||
sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
|
sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
|
||||||
|
|
||||||
@ -288,7 +314,7 @@ public class Arrays {
|
|||||||
|
|
||||||
private static void log(String str) {
|
private static void log(String str) {
|
||||||
if (debug) {
|
if (debug) {
|
||||||
System.out.println(str);
|
System.err.println(str);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -26,6 +26,8 @@
|
|||||||
* @bug 4981697
|
* @bug 4981697
|
||||||
* @summary Rework the X509KeyManager to avoid incompatibility issues
|
* @summary Rework the X509KeyManager to avoid incompatibility issues
|
||||||
* @author Brad R. Wetmore
|
* @author Brad R. Wetmore
|
||||||
|
*
|
||||||
|
* @run main/othervm -Djdk.tls.acknowledgeCloseNotify=true ExtendedKeyEngine
|
||||||
*/
|
*/
|
||||||
|
|
||||||
import javax.net.ssl.*;
|
import javax.net.ssl.*;
|
||||||
|
@ -936,6 +936,7 @@ abstract public class SSLEngineTestCase {
|
|||||||
case SUPPORTED_NON_KRB_NON_SHA_CIPHERS:
|
case SUPPORTED_NON_KRB_NON_SHA_CIPHERS:
|
||||||
case SUPPORTED_KRB_CIPHERS:
|
case SUPPORTED_KRB_CIPHERS:
|
||||||
case ENABLED_NON_KRB_NOT_ANON_CIPHERS:
|
case ENABLED_NON_KRB_NOT_ANON_CIPHERS:
|
||||||
|
case TLS13_CIPHERS:
|
||||||
if (error != null) {
|
if (error != null) {
|
||||||
System.out.println("Test Failed: " + cs);
|
System.out.println("Test Failed: " + cs);
|
||||||
System.err.println("Test Exception for " + cs);
|
System.err.println("Test Exception for " + cs);
|
||||||
|
54
test/jdk/javax/net/ssl/TLSv12/TLSEnginesClosureTest.java
Normal file
54
test/jdk/javax/net/ssl/TLSv12/TLSEnginesClosureTest.java
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
|
||||||
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
|
*
|
||||||
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License version 2 only, as
|
||||||
|
* published by the Free Software Foundation.
|
||||||
|
*
|
||||||
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
||||||
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||||
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
* version 2 for more details (a copy is included in the LICENSE file that
|
||||||
|
* accompanied this code).
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License version
|
||||||
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
||||||
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
|
*
|
||||||
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||||
|
* or visit www.oracle.com if you need additional information or have any
|
||||||
|
* questions.
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* @test
|
||||||
|
* @bug 8207009
|
||||||
|
* @summary Testing TLS engines closing using each of the supported
|
||||||
|
* cipher suites.
|
||||||
|
* @library /sun/security/krb5/auto /javax/net/ssl/TLSCommon
|
||||||
|
* @modules java.security.jgss
|
||||||
|
* jdk.security.auth
|
||||||
|
* java.security.jgss/sun.security.jgss.krb5
|
||||||
|
* java.security.jgss/sun.security.krb5:+open
|
||||||
|
* java.security.jgss/sun.security.krb5.internal:+open
|
||||||
|
* java.security.jgss/sun.security.krb5.internal.ccache
|
||||||
|
* java.security.jgss/sun.security.krb5.internal.crypto
|
||||||
|
* java.security.jgss/sun.security.krb5.internal.ktab
|
||||||
|
* java.base/sun.security.util
|
||||||
|
* @run main/othervm -Dtest.security.protocol=TLSv1.2
|
||||||
|
* -Dtest.mode=norm TLSEnginesClosureTest
|
||||||
|
* @run main/othervm -Dtest.security.protocol=TLSv1.2
|
||||||
|
* -Dtest.mode=norm_sni TLSEnginesClosureTest
|
||||||
|
* @run main/othervm -Dtest.security.protocol=TLSv1.2
|
||||||
|
* -Dtest.mode=krb TLSEnginesClosureTest
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Testing TLS engines closing using each of the supported cipher suites.
|
||||||
|
*/
|
||||||
|
public class TLSEnginesClosureTest {
|
||||||
|
public static void main(String[] args) {
|
||||||
|
EnginesClosureTest.main(args);
|
||||||
|
}
|
||||||
|
}
|
@ -21,14 +21,16 @@
|
|||||||
* questions.
|
* questions.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
//
|
||||||
|
// SunJSSE does not support dynamic system properties, no way to re-use
|
||||||
|
// system properties in samevm/agentvm mode.
|
||||||
|
//
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* @test
|
* @test
|
||||||
* @bug 4814140
|
* @bug 4814140
|
||||||
* @summary AppInputStream: read can block a close
|
* @summary AppInputStream: read can block a close
|
||||||
* @run main/othervm ReadBlocksClose
|
* @run main/othervm -Djdk.tls.acknowledgeCloseNotify=true ReadBlocksClose
|
||||||
*
|
|
||||||
* SunJSSE does not support dynamic system properties, no way to re-use
|
|
||||||
* system properties in samevm/agentvm mode.
|
|
||||||
* @author Brad Wetmore
|
* @author Brad Wetmore
|
||||||
*/
|
*/
|
||||||
|
|
||||||
@ -141,7 +143,8 @@ public class ReadBlocksClose {
|
|||||||
System.out.println("Closing Thread started");
|
System.out.println("Closing Thread started");
|
||||||
Thread.sleep(3000);
|
Thread.sleep(3000);
|
||||||
System.out.println("Closing Thread closing");
|
System.out.println("Closing Thread closing");
|
||||||
sslIS.close();
|
sslOS.close();
|
||||||
|
System.out.println("Closing Thread closed");
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
RuntimeException rte =
|
RuntimeException rte =
|
||||||
new RuntimeException("Check this out");
|
new RuntimeException("Check this out");
|
||||||
|
@ -68,11 +68,6 @@ public class CloseStart {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private static void runTest1(SSLEngine ssle) throws Exception {
|
|
||||||
ssle.closeInbound();
|
|
||||||
checkDone(ssle);
|
|
||||||
}
|
|
||||||
|
|
||||||
private static void runTest2(SSLEngine ssle) throws Exception {
|
private static void runTest2(SSLEngine ssle) throws Exception {
|
||||||
ssle.closeOutbound();
|
ssle.closeOutbound();
|
||||||
checkDone(ssle);
|
checkDone(ssle);
|
||||||
@ -81,10 +76,16 @@ public class CloseStart {
|
|||||||
public static void main(String args[]) throws Exception {
|
public static void main(String args[]) throws Exception {
|
||||||
|
|
||||||
SSLEngine ssle = createSSLEngine(keyFilename, trustFilename);
|
SSLEngine ssle = createSSLEngine(keyFilename, trustFilename);
|
||||||
runTest1(ssle);
|
ssle.closeInbound();
|
||||||
|
if (!ssle.isInboundDone()) {
|
||||||
|
throw new Exception("isInboundDone isn't done");
|
||||||
|
}
|
||||||
|
|
||||||
ssle = createSSLEngine(keyFilename, trustFilename);
|
ssle = createSSLEngine(keyFilename, trustFilename);
|
||||||
runTest2(ssle);
|
ssle.closeOutbound();
|
||||||
|
if (!ssle.isOutboundDone()) {
|
||||||
|
throw new Exception("isOutboundDone isn't done");
|
||||||
|
}
|
||||||
|
|
||||||
System.out.println("Test Passed.");
|
System.out.println("Test Passed.");
|
||||||
}
|
}
|
||||||
|
@ -280,6 +280,7 @@ public class SSLEngineDeadlock {
|
|||||||
|
|
||||||
log("\tClosing clientEngine's *OUTBOUND*...");
|
log("\tClosing clientEngine's *OUTBOUND*...");
|
||||||
clientEngine.closeOutbound();
|
clientEngine.closeOutbound();
|
||||||
|
serverEngine.closeOutbound();
|
||||||
dataDone = true;
|
dataDone = true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -127,8 +127,7 @@ public class SSLEngineKeyLimit {
|
|||||||
output.shouldNotContain("KeyUpdate: write key updated");
|
output.shouldNotContain("KeyUpdate: write key updated");
|
||||||
output.shouldNotContain("KeyUpdate: read key updated");
|
output.shouldNotContain("KeyUpdate: read key updated");
|
||||||
} else {
|
} else {
|
||||||
output.shouldContain("KeyUpdate: triggered, read side");
|
output.shouldContain("trigger key update");
|
||||||
output.shouldContain("KeyUpdate: triggered, write side");
|
|
||||||
output.shouldContain("KeyUpdate: write key updated");
|
output.shouldContain("KeyUpdate: write key updated");
|
||||||
output.shouldContain("KeyUpdate: read key updated");
|
output.shouldContain("KeyUpdate: read key updated");
|
||||||
}
|
}
|
||||||
|
@ -106,11 +106,11 @@ public class TLS13BeginHandshake {
|
|||||||
checkTransfer(clientOut, serverIn);
|
checkTransfer(clientOut, serverIn);
|
||||||
System.out.println("\tClosing...");
|
System.out.println("\tClosing...");
|
||||||
clientEngine.closeOutbound();
|
clientEngine.closeOutbound();
|
||||||
|
serverEngine.closeOutbound();
|
||||||
done++;
|
done++;
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private static boolean isEngineClosed(SSLEngine engine) {
|
private static boolean isEngineClosed(SSLEngine engine) {
|
||||||
|
@ -36,6 +36,7 @@
|
|||||||
|
|
||||||
import javax.net.ssl.*;
|
import javax.net.ssl.*;
|
||||||
import java.io.*;
|
import java.io.*;
|
||||||
|
import java.net.SocketException;
|
||||||
import java.util.concurrent.CountDownLatch;
|
import java.util.concurrent.CountDownLatch;
|
||||||
import java.util.concurrent.TimeUnit;
|
import java.util.concurrent.TimeUnit;
|
||||||
|
|
||||||
@ -123,6 +124,9 @@ public class AsyncSSLSocketClose implements Runnable {
|
|||||||
os.write(ba);
|
os.write(ba);
|
||||||
System.out.println(count + " bytes written");
|
System.out.println(count + " bytes written");
|
||||||
}
|
}
|
||||||
|
} catch (SocketException se) {
|
||||||
|
// the closing may be in progress
|
||||||
|
System.out.println("interrupted? " + se);
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
if (socket.isClosed() || socket.isOutputShutdown()) {
|
if (socket.isClosed() || socket.isOutputShutdown()) {
|
||||||
System.out.println("interrupted, the socket is closed");
|
System.out.println("interrupted, the socket is closed");
|
||||||
|
@ -119,7 +119,7 @@ public class SSLSocketKeyLimit {
|
|||||||
System.setProperty("test.java.opts",
|
System.setProperty("test.java.opts",
|
||||||
"-Dtest.src=" + System.getProperty("test.src") +
|
"-Dtest.src=" + System.getProperty("test.src") +
|
||||||
" -Dtest.jdk=" + System.getProperty("test.jdk") +
|
" -Dtest.jdk=" + System.getProperty("test.jdk") +
|
||||||
" -Djavax.net.debug=ssl,handshake " +
|
" -Djavax.net.debug=ssl,handshake" +
|
||||||
" -Djava.security.properties=" + f.getName());
|
" -Djava.security.properties=" + f.getName());
|
||||||
|
|
||||||
System.out.println("test.java.opts: " +
|
System.out.println("test.java.opts: " +
|
||||||
@ -134,8 +134,7 @@ public class SSLSocketKeyLimit {
|
|||||||
output.shouldNotContain("KeyUpdate: write key updated");
|
output.shouldNotContain("KeyUpdate: write key updated");
|
||||||
output.shouldNotContain("KeyUpdate: read key updated");
|
output.shouldNotContain("KeyUpdate: read key updated");
|
||||||
} else {
|
} else {
|
||||||
output.shouldContain("KeyUpdate: triggered, read side");
|
output.shouldContain("trigger key update");
|
||||||
output.shouldContain("KeyUpdate: triggered, write side");
|
|
||||||
output.shouldContain("KeyUpdate: write key updated");
|
output.shouldContain("KeyUpdate: write key updated");
|
||||||
output.shouldContain("KeyUpdate: read key updated");
|
output.shouldContain("KeyUpdate: read key updated");
|
||||||
}
|
}
|
||||||
|
@ -0,0 +1,329 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
|
||||||
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
|
*
|
||||||
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License version 2 only, as
|
||||||
|
* published by the Free Software Foundation.
|
||||||
|
*
|
||||||
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
||||||
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||||
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
* version 2 for more details (a copy is included in the LICENSE file that
|
||||||
|
* accompanied this code).
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License version
|
||||||
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
||||||
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
|
*
|
||||||
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||||
|
* or visit www.oracle.com if you need additional information or have any
|
||||||
|
* questions.
|
||||||
|
*/
|
||||||
|
|
||||||
|
//
|
||||||
|
// SunJSSE does not support dynamic system properties, no way to re-use
|
||||||
|
// system properties in samevm/agentvm mode.
|
||||||
|
//
|
||||||
|
|
||||||
|
/*
|
||||||
|
* @test
|
||||||
|
* @bug 8208642
|
||||||
|
* @summary Server initiated TLSv1.2 renegotiation fails if Java
|
||||||
|
* client allows TLSv1.3
|
||||||
|
* @run main/othervm ServerRenegoWithTwoVersions TLSv1 SSLv3
|
||||||
|
* @run main/othervm ServerRenegoWithTwoVersions TLSv1 TLSv1.1
|
||||||
|
* @run main/othervm ServerRenegoWithTwoVersions TLSv1.2 TLSv1.1
|
||||||
|
* @run main/othervm ServerRenegoWithTwoVersions TLSv1.3 TLSv1.2
|
||||||
|
*/
|
||||||
|
|
||||||
|
import java.io.*;
|
||||||
|
import java.net.*;
|
||||||
|
import java.security.Security;
|
||||||
|
import javax.net.ssl.*;
|
||||||
|
|
||||||
|
public class ServerRenegoWithTwoVersions implements
|
||||||
|
HandshakeCompletedListener {
|
||||||
|
|
||||||
|
static byte handshakesCompleted = 0;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Define what happens when handshaking is completed
|
||||||
|
*/
|
||||||
|
public void handshakeCompleted(HandshakeCompletedEvent event) {
|
||||||
|
synchronized (this) {
|
||||||
|
handshakesCompleted++;
|
||||||
|
System.out.println("Session: " + event.getSession().toString());
|
||||||
|
System.out.println("Seen handshake completed #" +
|
||||||
|
handshakesCompleted);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* =============================================================
|
||||||
|
* Set the various variables needed for the tests, then
|
||||||
|
* specify what tests to run on each side.
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Should we run the client or server in a separate thread?
|
||||||
|
* Both sides can throw exceptions, but do you have a preference
|
||||||
|
* as to which side should be the main thread.
|
||||||
|
*/
|
||||||
|
static boolean separateServerThread = false;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Where do we find the keystores?
|
||||||
|
*/
|
||||||
|
static String pathToStores = "../../../../javax/net/ssl/etc";
|
||||||
|
static String keyStoreFile = "keystore";
|
||||||
|
static String trustStoreFile = "truststore";
|
||||||
|
static String passwd = "passphrase";
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Is the server ready to serve?
|
||||||
|
*/
|
||||||
|
volatile static boolean serverReady = false;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Turn on SSL debugging?
|
||||||
|
*/
|
||||||
|
static boolean debug = false;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If the client or server is doing some kind of object creation
|
||||||
|
* that the other side depends on, and that thread prematurely
|
||||||
|
* exits, you may experience a hang. The test harness will
|
||||||
|
* terminate all hung threads after its timeout has expired,
|
||||||
|
* currently 3 minutes by default, but you might try to be
|
||||||
|
* smart about it....
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Define the server side of the test.
|
||||||
|
*
|
||||||
|
* If the server prematurely exits, serverReady will be set to true
|
||||||
|
* to avoid infinite hangs.
|
||||||
|
*/
|
||||||
|
void doServerSide() throws Exception {
|
||||||
|
SSLServerSocketFactory sslssf =
|
||||||
|
(SSLServerSocketFactory)SSLServerSocketFactory.getDefault();
|
||||||
|
SSLServerSocket sslServerSocket =
|
||||||
|
(SSLServerSocket) sslssf.createServerSocket(serverPort);
|
||||||
|
|
||||||
|
serverPort = sslServerSocket.getLocalPort();
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Signal Client, we're ready for his connect.
|
||||||
|
*/
|
||||||
|
serverReady = true;
|
||||||
|
|
||||||
|
SSLSocket sslSocket = (SSLSocket)sslServerSocket.accept();
|
||||||
|
sslSocket.setEnabledProtocols(new String[] { serverProtocol });
|
||||||
|
sslSocket.addHandshakeCompletedListener(this);
|
||||||
|
InputStream sslIS = sslSocket.getInputStream();
|
||||||
|
OutputStream sslOS = sslSocket.getOutputStream();
|
||||||
|
|
||||||
|
for (int i = 0; i < 10; i++) {
|
||||||
|
sslIS.read();
|
||||||
|
sslOS.write(85);
|
||||||
|
sslOS.flush();
|
||||||
|
}
|
||||||
|
|
||||||
|
System.out.println("invalidating");
|
||||||
|
sslSocket.getSession().invalidate();
|
||||||
|
System.out.println("starting new handshake");
|
||||||
|
sslSocket.startHandshake();
|
||||||
|
|
||||||
|
for (int i = 0; i < 10; i++) {
|
||||||
|
System.out.println("sending/receiving data, iteration: " + i);
|
||||||
|
sslIS.read();
|
||||||
|
sslOS.write(85);
|
||||||
|
sslOS.flush();
|
||||||
|
}
|
||||||
|
|
||||||
|
sslSocket.close();
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Define the client side of the test.
|
||||||
|
*
|
||||||
|
* If the server prematurely exits, serverReady will be set to true
|
||||||
|
* to avoid infinite hangs.
|
||||||
|
*/
|
||||||
|
void doClientSide() throws Exception {
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Wait for server to get started.
|
||||||
|
*/
|
||||||
|
while (!serverReady) {
|
||||||
|
Thread.sleep(50);
|
||||||
|
}
|
||||||
|
|
||||||
|
SSLSocketFactory sslsf =
|
||||||
|
(SSLSocketFactory)SSLSocketFactory.getDefault();
|
||||||
|
SSLSocket sslSocket = (SSLSocket)
|
||||||
|
sslsf.createSocket("localhost", serverPort);
|
||||||
|
sslSocket.setEnabledProtocols(
|
||||||
|
new String[] { serverProtocol, clientProtocol });
|
||||||
|
|
||||||
|
InputStream sslIS = sslSocket.getInputStream();
|
||||||
|
OutputStream sslOS = sslSocket.getOutputStream();
|
||||||
|
|
||||||
|
for (int i = 0; i < 10; i++) {
|
||||||
|
sslOS.write(280);
|
||||||
|
sslOS.flush();
|
||||||
|
sslIS.read();
|
||||||
|
}
|
||||||
|
|
||||||
|
for (int i = 0; i < 10; i++) {
|
||||||
|
sslOS.write(280);
|
||||||
|
sslOS.flush();
|
||||||
|
sslIS.read();
|
||||||
|
}
|
||||||
|
|
||||||
|
sslSocket.close();
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* =============================================================
|
||||||
|
* The remainder is just support stuff
|
||||||
|
*/
|
||||||
|
|
||||||
|
// use any free port by default
|
||||||
|
volatile int serverPort = 0;
|
||||||
|
|
||||||
|
volatile Exception serverException = null;
|
||||||
|
volatile Exception clientException = null;
|
||||||
|
|
||||||
|
// the specified protocol
|
||||||
|
private static String clientProtocol;
|
||||||
|
private static String serverProtocol;
|
||||||
|
|
||||||
|
public static void main(String[] args) throws Exception {
|
||||||
|
String keyFilename =
|
||||||
|
System.getProperty("test.src", "./") + "/" + pathToStores +
|
||||||
|
"/" + keyStoreFile;
|
||||||
|
String trustFilename =
|
||||||
|
System.getProperty("test.src", "./") + "/" + pathToStores +
|
||||||
|
"/" + trustStoreFile;
|
||||||
|
|
||||||
|
System.setProperty("javax.net.ssl.keyStore", keyFilename);
|
||||||
|
System.setProperty("javax.net.ssl.keyStorePassword", passwd);
|
||||||
|
System.setProperty("javax.net.ssl.trustStore", trustFilename);
|
||||||
|
System.setProperty("javax.net.ssl.trustStorePassword", passwd);
|
||||||
|
|
||||||
|
if (debug) {
|
||||||
|
System.setProperty("javax.net.debug", "all");
|
||||||
|
}
|
||||||
|
|
||||||
|
Security.setProperty("jdk.tls.disabledAlgorithms", "");
|
||||||
|
|
||||||
|
clientProtocol = args[0];
|
||||||
|
serverProtocol = args[1];
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Start the tests.
|
||||||
|
*/
|
||||||
|
new ServerRenegoWithTwoVersions();
|
||||||
|
}
|
||||||
|
|
||||||
|
Thread clientThread = null;
|
||||||
|
Thread serverThread = null;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Primary constructor, used to drive remainder of the test.
|
||||||
|
*
|
||||||
|
* Fork off the other side, then do your work.
|
||||||
|
*/
|
||||||
|
ServerRenegoWithTwoVersions() throws Exception {
|
||||||
|
if (separateServerThread) {
|
||||||
|
startServer(true);
|
||||||
|
startClient(false);
|
||||||
|
} else {
|
||||||
|
startClient(true);
|
||||||
|
startServer(false);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Wait for other side to close down.
|
||||||
|
*/
|
||||||
|
if (separateServerThread) {
|
||||||
|
serverThread.join();
|
||||||
|
} else {
|
||||||
|
clientThread.join();
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* When we get here, the test is pretty much over.
|
||||||
|
*
|
||||||
|
* If the main thread excepted, that propagates back
|
||||||
|
* immediately. If the other thread threw an exception, we
|
||||||
|
* should report back.
|
||||||
|
*/
|
||||||
|
if (serverException != null) {
|
||||||
|
System.out.print("Server Exception:");
|
||||||
|
throw serverException;
|
||||||
|
}
|
||||||
|
if (clientException != null) {
|
||||||
|
System.out.print("Client Exception:");
|
||||||
|
throw clientException;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Give the Handshaker Thread a chance to run
|
||||||
|
*/
|
||||||
|
Thread.sleep(1000);
|
||||||
|
|
||||||
|
synchronized (this) {
|
||||||
|
if (handshakesCompleted != 2) {
|
||||||
|
throw new Exception("Didn't see 2 handshake completed events.");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void startServer(boolean newThread) throws Exception {
|
||||||
|
if (newThread) {
|
||||||
|
serverThread = new Thread() {
|
||||||
|
public void run() {
|
||||||
|
try {
|
||||||
|
doServerSide();
|
||||||
|
} catch (Exception e) {
|
||||||
|
/*
|
||||||
|
* Our server thread just died.
|
||||||
|
*
|
||||||
|
* Release the client, if not active already...
|
||||||
|
*/
|
||||||
|
System.err.println("Server died...");
|
||||||
|
serverReady = true;
|
||||||
|
serverException = e;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
};
|
||||||
|
serverThread.start();
|
||||||
|
} else {
|
||||||
|
doServerSide();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void startClient(boolean newThread) throws Exception {
|
||||||
|
if (newThread) {
|
||||||
|
clientThread = new Thread() {
|
||||||
|
public void run() {
|
||||||
|
try {
|
||||||
|
doClientSide();
|
||||||
|
} catch (Exception e) {
|
||||||
|
/*
|
||||||
|
* Our client thread just died.
|
||||||
|
*/
|
||||||
|
System.err.println("Client died...");
|
||||||
|
clientException = e;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
};
|
||||||
|
clientThread.start();
|
||||||
|
} else {
|
||||||
|
doClientSide();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user