1berry/openjdk
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

8221882: Use fiber-friendly java.util.concurrent.locks in JSSE

Browse Source 
Reviewed-by: alanb, dfuchs
This commit is contained in:
Xue-Lei Andrew Fan 2019-04-05 11:28:23 -07:00
parent 6d617481d4
commit 8263b618ba
22 changed files with 1672 additions and 1020 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
src/java.base/share/classes/javax/net/ssl/SSLContext.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -26,8 +26,9 @@
package javax.net.ssl;
import java.security.*;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.VarHandle;
import java.util.Objects;
import sun.security.jca.GetInstance;
/**
@ -58,6 +59,20 @@ public class SSLContext {
private final String protocol;
private static volatile SSLContext defaultContext;
private static final VarHandle VH_DEFAULT_CONTEXT;
static {
try {
VH_DEFAULT_CONTEXT = MethodHandles.lookup()
.findStaticVarHandle(
SSLContext.class, "defaultContext", SSLContext.class);
} catch (Exception e) {
throw new ExceptionInInitializerError(e);
}
}
/**
* Creates an SSLContext object.
*
@ -72,8 +87,6 @@ public class SSLContext {
this.protocol = protocol;
}
private static SSLContext defaultContext;
/**
* Returns the default SSL context.
*
@ -91,12 +104,16 @@ public class SSLContext {
* {@link SSLContext#getInstance SSLContext.getInstance()} call fails
* @since 1.6
*/
public static synchronized SSLContext getDefault()
throws NoSuchAlgorithmException {
if (defaultContext == null) {
defaultContext = SSLContext.getInstance("Default");
public static SSLContext getDefault() throws NoSuchAlgorithmException {
SSLContext temporaryContext = defaultContext;
if (temporaryContext == null) {
temporaryContext = SSLContext.getInstance("Default");
if (!VH_DEFAULT_CONTEXT.compareAndSet(null, temporaryContext)) {
temporaryContext = defaultContext;
}
}
return defaultContext;
return temporaryContext;
}
/**
@ -111,7 +128,7 @@ public class SSLContext {
* {@code SSLPermission("setDefaultSSLContext")}
* @since 1.6
*/
public static synchronized void setDefault(SSLContext context) {
public static void setDefault(SSLContext context) {
if (context == null) {
throw new NullPointerException();
}
@ -119,6 +136,7 @@ public class SSLContext {
if (sm != null) {
sm.checkPermission(new SSLPermission("setDefaultSSLContext"));
}
defaultContext = context;
}

94
src/java.base/share/classes/javax/net/ssl/SSLServerSocketFactory.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -42,17 +42,7 @@ import java.security.*;
* @see SSLServerSocket
* @author David Brownell
*/
public abstract class SSLServerSocketFactory extends ServerSocketFactory
{
private static SSLServerSocketFactory theFactory;
private static boolean propertyChecked;
private static void log(String msg) {
if (SSLSocketFactory.DEBUG) {
System.out.println(msg);
}
}
public abstract class SSLServerSocketFactory extends ServerSocketFactory {
/**
* Constructor is used only by subclasses.
@ -75,39 +65,9 @@ public abstract class SSLServerSocketFactory extends ServerSocketFactory
* @return the default <code>ServerSocketFactory</code>
* @see SSLContext#getDefault
*/
public static synchronized ServerSocketFactory getDefault() {
if (theFactory != null) {
return theFactory;
}
if (propertyChecked == false) {
propertyChecked = true;
String clsName = SSLSocketFactory.getSecurityProperty
("ssl.ServerSocketFactory.provider");
if (clsName != null) {
log("setting up default SSLServerSocketFactory");
try {
Class<?> cls = null;
try {
cls = Class.forName(clsName);
} catch (ClassNotFoundException e) {
ClassLoader cl = ClassLoader.getSystemClassLoader();
if (cl != null) {
cls = cl.loadClass(clsName);
}
}
log("class " + clsName + " is loaded");
@SuppressWarnings("deprecation")
SSLServerSocketFactory fac = (SSLServerSocketFactory)cls.newInstance();
log("instantiated an instance of class " + clsName);
theFactory = fac;
return fac;
} catch (Exception e) {
log("SSLServerSocketFactory instantiation failed: " + e);
theFactory = new DefaultSSLServerSocketFactory(e);
return theFactory;
}
}
public static ServerSocketFactory getDefault() {
if (DefaultFactoryHolder.defaultFactory != null) {
return DefaultFactoryHolder.defaultFactory;
}
try {
@ -156,8 +116,50 @@ public abstract class SSLServerSocketFactory extends ServerSocketFactory
* @see #getDefaultCipherSuites()
*/
public abstract String [] getSupportedCipherSuites();
}
// lazy initialization holder class idiom for static default factory
//
// See Effective Java Second Edition: Item 71.
private static final class DefaultFactoryHolder {
private static final SSLServerSocketFactory defaultFactory;
static {
SSLServerSocketFactory mediator = null;
String clsName = SSLSocketFactory.getSecurityProperty(
"ssl.ServerSocketFactory.provider");
if (clsName != null) {
log("setting up default SSLServerSocketFactory");
try {
Class<?> cls = null;
try {
cls = Class.forName(clsName);
} catch (ClassNotFoundException e) {
ClassLoader cl = ClassLoader.getSystemClassLoader();
if (cl != null) {
cls = cl.loadClass(clsName);
}
}
log("class " + clsName + " is loaded");
mediator = (SSLServerSocketFactory)cls
.getDeclaredConstructor().newInstance();
log("instantiated an instance of class " + clsName);
} catch (Exception e) {
log("SSLServerSocketFactory instantiation failed: " + e);
mediator = new DefaultSSLServerSocketFactory(e);
}
}
defaultFactory = mediator;
}
private static void log(String msg) {
if (SSLSocketFactory.DEBUG) {
System.out.println(msg);
}
}
}
}
//
// The default factory does NOTHING.

99
src/java.base/share/classes/javax/net/ssl/SSLSocketFactory.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -42,31 +42,20 @@ import sun.security.action.GetPropertyAction;
* @see SSLSocket
* @author David Brownell
*/
public abstract class SSLSocketFactory extends SocketFactory
{
private static SSLSocketFactory theFactory;
private static boolean propertyChecked;
public abstract class SSLSocketFactory extends SocketFactory {
static final boolean DEBUG;
static {
String s = GetPropertyAction.privilegedGetProperty("javax.net.debug", "")
.toLowerCase(Locale.ENGLISH);
String s = GetPropertyAction.privilegedGetProperty(
"javax.net.debug", "").toLowerCase(Locale.ENGLISH);
DEBUG = s.contains("all") || s.contains("ssl");
}
private static void log(String msg) {
if (DEBUG) {
System.out.println(msg);
}
}
/**
* Constructor is used only by subclasses.
*/
public SSLSocketFactory() {
// blank
}
/**
@ -85,38 +74,9 @@ public abstract class SSLSocketFactory extends SocketFactory
* @return the default <code>SocketFactory</code>
* @see SSLContext#getDefault
*/
public static synchronized SocketFactory getDefault() {
if (theFactory != null) {
return theFactory;
}
if (propertyChecked == false) {
propertyChecked = true;
String clsName = getSecurityProperty("ssl.SocketFactory.provider");
if (clsName != null) {
log("setting up default SSLSocketFactory");
try {
Class<?> cls = null;
try {
cls = Class.forName(clsName);
} catch (ClassNotFoundException e) {
ClassLoader cl = ClassLoader.getSystemClassLoader();
if (cl != null) {
cls = cl.loadClass(clsName);
}
}
log("class " + clsName + " is loaded");
@SuppressWarnings("deprecation")
SSLSocketFactory fac = (SSLSocketFactory)cls.newInstance();
log("instantiated an instance of class " + clsName);
theFactory = fac;
return fac;
} catch (Exception e) {
log("SSLSocketFactory instantiation failed: " + e.toString());
theFactory = new DefaultSSLSocketFactory(e);
return theFactory;
}
}
public static SocketFactory getDefault() {
if (DefaultFactoryHolder.defaultFactory != null) {
return DefaultFactoryHolder.defaultFactory;
}
try {
@ -246,6 +206,49 @@ public abstract class SSLSocketFactory extends SocketFactory
boolean autoClose) throws IOException {
throw new UnsupportedOperationException();
}
// lazy initialization holder class idiom for static default factory
//
// See Effective Java Second Edition: Item 71.
private static final class DefaultFactoryHolder {
private static final SSLSocketFactory defaultFactory;
static {
SSLSocketFactory mediator = null;
String clsName = getSecurityProperty("ssl.SocketFactory.provider");
if (clsName != null) {
log("setting up default SSLSocketFactory");
try {
Class<?> cls = null;
try {
cls = Class.forName(clsName);
} catch (ClassNotFoundException e) {
ClassLoader cl = ClassLoader.getSystemClassLoader();
if (cl != null) {
cls = cl.loadClass(clsName);
}
}
log("class " + clsName + " is loaded");
mediator = (SSLSocketFactory)cls
.getDeclaredConstructor().newInstance();
log("instantiated an instance of class " + clsName);
} catch (Exception e) {
log("SSLSocketFactory instantiation failed: " + e);
mediator = new DefaultSSLSocketFactory(e);
}
}
defaultFactory = mediator;
}
private static void log(String msg) {
if (DEBUG) {
System.out.println(msg);
}
}
}
}

14
src/java.base/share/classes/sun/net/www/protocol/https/HttpsURLConnectionImpl.java
View File

@ -57,8 +57,7 @@ import sun.net.www.http.HttpClient;
public class HttpsURLConnectionImpl
extends javax.net.ssl.HttpsURLConnection {
// NOTE: made protected for plugin so that subclass can set it.
protected DelegateHttpsURLConnection delegate;
private final DelegateHttpsURLConnection delegate;
HttpsURLConnectionImpl(URL u, Handler handler) throws IOException {
this(u, null, handler);
@ -78,13 +77,6 @@ public class HttpsURLConnectionImpl
delegate = new DelegateHttpsURLConnection(url, p, handler, this);
}
// NOTE: introduced for plugin
// subclass needs to overwrite this to set delegate to
// the appropriate delegatee
protected HttpsURLConnectionImpl(URL u) throws IOException {
super(u);
}
/**
* Create a new HttpClient object, bypassing the cache of
* HTTP client objects/connections.
@ -219,11 +211,11 @@ public class HttpsURLConnectionImpl
* - get input, [read input,] get output, [write output]
*/
public synchronized OutputStream getOutputStream() throws IOException {
public OutputStream getOutputStream() throws IOException {
return delegate.getOutputStream();
}
public synchronized InputStream getInputStream() throws IOException {
public InputStream getInputStream() throws IOException {
return delegate.getInputStream();
}

4
src/java.base/share/classes/sun/security/ssl/BaseSSLSocketImpl.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -632,7 +632,7 @@ abstract class BaseSSLSocketImpl extends SSLSocket {
}
@Override
public synchronized void setSoTimeout(int timeout) throws SocketException {
public void setSoTimeout(int timeout) throws SocketException {
if (self == this) {
super.setSoTimeout(timeout);
} else {

4
src/java.base/share/classes/sun/security/ssl/DTLSInputRecord.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -58,7 +58,7 @@ final class DTLSInputRecord extends InputRecord implements DTLSRecord {
}
@Override
public synchronized void close() throws IOException {
public void close() throws IOException {
if (!isClosed) {
super.close();
}

19
src/java.base/share/classes/sun/security/ssl/DTLSOutputRecord.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -58,13 +58,18 @@ final class DTLSOutputRecord extends OutputRecord implements DTLSRecord {
}
@Override
public synchronized void close() throws IOException {
if (!isClosed) {
if (fragmenter != null && fragmenter.hasAlert()) {
isCloseWaiting = true;
} else {
super.close();
public void close() throws IOException {
recordLock.lock();
try {
if (!isClosed) {
if (fragmenter != null && fragmenter.hasAlert()) {
isCloseWaiting = true;
} else {
super.close();
}
}
} finally {
recordLock.unlock();
}
}

39
src/java.base/share/classes/sun/security/ssl/EphemeralKeyManager.java
View File

@ -26,6 +26,7 @@
package sun.security.ssl;
import java.security.*;
import java.util.concurrent.locks.ReentrantLock;
/**
* The "KeyManager" for ephemeral RSA keys. Ephemeral DH and ECDH keys
@ -48,6 +49,8 @@ final class EphemeralKeyManager {
new EphemeralKeyPair(null),
};
private final ReentrantLock cachedKeysLock = new ReentrantLock();
EphemeralKeyManager() {
// empty
}
@ -65,20 +68,32 @@ final class EphemeralKeyManager {
index = INDEX_RSA1024;
}
synchronized (keys) {
KeyPair kp = keys[index].getKeyPair();
if (kp == null) {
try {
KeyPairGenerator kgen = KeyPairGenerator.getInstance("RSA");
kgen.initialize(length, random);
keys[index] = new EphemeralKeyPair(kgen.genKeyPair());
kp = keys[index].getKeyPair();
} catch (Exception e) {
// ignore
}
}
KeyPair kp = keys[index].getKeyPair();
if (kp != null) {
return kp;
}
cachedKeysLock.lock();
try {
// double check
kp = keys[index].getKeyPair();
if (kp != null) {
return kp;
}
try {
KeyPairGenerator kgen = KeyPairGenerator.getInstance("RSA");
kgen.initialize(length, random);
keys[index] = new EphemeralKeyPair(kgen.genKeyPair());
kp = keys[index].getKeyPair();
} catch (Exception e) {
// ignore
}
} finally {
cachedKeysLock.unlock();
}
return kp;
}
/**

42
src/java.base/share/classes/sun/security/ssl/HelloCookieManager.java
View File

@ -30,6 +30,7 @@ import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.concurrent.locks.ReentrantLock;
import static sun.security.ssl.ClientHello.ClientHelloMessage;
/**
@ -45,6 +46,8 @@ abstract class HelloCookieManager {
private volatile D13HelloCookieManager d13HelloCookieManager;
private volatile T13HelloCookieManager t13HelloCookieManager;
private final ReentrantLock managerLock = new ReentrantLock();
Builder(SecureRandom secureRandom) {
this.secureRandom = secureRandom;
}
@ -56,11 +59,14 @@ abstract class HelloCookieManager {
return d13HelloCookieManager;
}
synchronized (this) {
managerLock.lock();
try {
if (d13HelloCookieManager == null) {
d13HelloCookieManager =
new D13HelloCookieManager(secureRandom);
}
} finally {
managerLock.unlock();
}
return d13HelloCookieManager;
@ -69,11 +75,14 @@ abstract class HelloCookieManager {
return d10HelloCookieManager;
}
synchronized (this) {
managerLock.lock();
try {
if (d10HelloCookieManager == null) {
d10HelloCookieManager =
new D10HelloCookieManager(secureRandom);
}
} finally {
managerLock.unlock();
}
return d10HelloCookieManager;
@ -84,11 +93,14 @@ abstract class HelloCookieManager {
return t13HelloCookieManager;
}
synchronized (this) {
managerLock.lock();
try {
if (t13HelloCookieManager == null) {
t13HelloCookieManager =
new T13HelloCookieManager(secureRandom);
}
} finally {
managerLock.unlock();
}
return t13HelloCookieManager;
@ -114,6 +126,8 @@ abstract class HelloCookieManager {
private byte[] cookieSecret;
private byte[] legacySecret;
private final ReentrantLock d10ManagerLock = new ReentrantLock();
D10HelloCookieManager(SecureRandom secureRandom) {
this.secureRandom = secureRandom;
@ -131,7 +145,8 @@ abstract class HelloCookieManager {
int version;
byte[] secret;
synchronized (this) {
d10ManagerLock.lock();
try {
version = cookieVersion;
secret = cookieSecret;
@ -142,6 +157,8 @@ abstract class HelloCookieManager {
}
cookieVersion++;
} finally {
d10ManagerLock.unlock();
}
MessageDigest md;
@ -168,12 +185,15 @@ abstract class HelloCookieManager {
}
byte[] secret;
synchronized (this) {
d10ManagerLock.lock();
try {
if (((cookieVersion >> 24) & 0xFF) == cookie[0]) {
secret = cookieSecret;
} else {
secret = legacySecret; // including out of window cookies
}
} finally {
d10ManagerLock.unlock();
}
MessageDigest md;
@ -218,6 +238,8 @@ abstract class HelloCookieManager {
private final byte[] cookieSecret;
private final byte[] legacySecret;
private final ReentrantLock t13ManagerLock = new ReentrantLock();
T13HelloCookieManager(SecureRandom secureRandom) {
this.secureRandom = secureRandom;
this.cookieVersion = secureRandom.nextInt();
@ -234,7 +256,8 @@ abstract class HelloCookieManager {
int version;
byte[] secret;
synchronized (this) {
t13ManagerLock.lock();
try {
version = cookieVersion;
secret = cookieSecret;
@ -245,6 +268,8 @@ abstract class HelloCookieManager {
}
cookieVersion++; // allow wrapped version number
} finally {
t13ManagerLock.unlock();
}
MessageDigest md;
@ -313,12 +338,15 @@ abstract class HelloCookieManager {
Arrays.copyOfRange(cookie, 3 + hashLen, cookie.length);
byte[] secret;
synchronized (this) {
t13ManagerLock.lock();
try {
if ((byte)((cookieVersion >> 24) & 0xFF) == cookie[2]) {
secret = cookieSecret;
} else {
secret = legacySecret; // including out of window cookies
}
} finally {
t13ManagerLock.unlock();
}
MessageDigest md;

24
src/java.base/share/classes/sun/security/ssl/InputRecord.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -31,6 +31,7 @@ import java.io.InputStream;
import java.io.OutputStream;
import java.nio.BufferUnderflowException;
import java.nio.ByteBuffer;
import java.util.concurrent.locks.ReentrantLock;
import javax.crypto.BadPaddingException;
import sun.security.ssl.SSLCipher.SSLReadCipher;
@ -43,10 +44,10 @@ import sun.security.ssl.SSLCipher.SSLReadCipher;
abstract class InputRecord implements Record, Closeable {
SSLReadCipher readCipher;
// Needed for KeyUpdate, used after Handshake.Finished
TransportContext tc;
TransportContext tc;
final HandshakeHash handshakeHash;
boolean isClosed;
volatile boolean isClosed;
// The ClientHello version to accept. If set to ProtocolVersion.SSL20Hello
// and the first message we read is a ClientHello in V2 format, we convert
@ -56,6 +57,8 @@ abstract class InputRecord implements Record, Closeable {
// fragment size
int fragmentSize;
final ReentrantLock recordLock = new ReentrantLock();
InputRecord(HandshakeHash handshakeHash, SSLReadCipher readCipher) {
this.readCipher = readCipher;
this.helloVersion = ProtocolVersion.TLS10;
@ -92,14 +95,19 @@ abstract class InputRecord implements Record, Closeable {
* and flag the record as holding no data.
*/
@Override
public synchronized void close() throws IOException {
if (!isClosed) {
isClosed = true;
readCipher.dispose();
public void close() throws IOException {
recordLock.lock();
try {
if (!isClosed) {
isClosed = true;
readCipher.dispose();
}
} finally {
recordLock.unlock();
}
}
synchronized boolean isClosed() {
boolean isClosed() {
return isClosed;
}

168
src/java.base/share/classes/sun/security/ssl/OutputRecord.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -30,6 +30,7 @@ import java.io.Closeable;
import java.io.IOException;
import java.io.OutputStream;
import java.nio.ByteBuffer;
import java.util.concurrent.locks.ReentrantLock;
import sun.security.ssl.SSLCipher.SSLWriteCipher;
/**
@ -68,6 +69,8 @@ abstract class OutputRecord
// closed or not?
volatile boolean isClosed;
final ReentrantLock recordLock = new ReentrantLock();
/*
* Mappings from V3 cipher suite encodings to their pure V2 equivalents.
* This is taken from the SSL V3 specification, Appendix E.
@ -89,15 +92,25 @@ abstract class OutputRecord
// Please set packetSize and protocolVersion in the implementation.
}
synchronized void setVersion(ProtocolVersion protocolVersion) {
this.protocolVersion = protocolVersion;
void setVersion(ProtocolVersion protocolVersion) {
recordLock.lock();
try {
this.protocolVersion = protocolVersion;
} finally {
recordLock.unlock();
}
}
/*
* Updates helloVersion of this record.
*/
synchronized void setHelloVersion(ProtocolVersion helloVersion) {
this.helloVersion = helloVersion;
void setHelloVersion(ProtocolVersion helloVersion) {
recordLock.lock();
try {
this.helloVersion = helloVersion;
} finally {
recordLock.unlock();
}
}
/*
@ -108,9 +121,14 @@ abstract class OutputRecord
return false;
}
synchronized boolean seqNumIsHuge() {
return (writeCipher.authenticator != null) &&
boolean seqNumIsHuge() {
recordLock.lock();
try {
return (writeCipher.authenticator != null) &&
writeCipher.authenticator.seqNumIsHuge();
} finally {
recordLock.unlock();
}
}
// SSLEngine and SSLSocket
@ -148,68 +166,93 @@ abstract class OutputRecord
}
// Change write ciphers, may use change_cipher_spec record.
synchronized void changeWriteCiphers(SSLWriteCipher writeCipher,
void changeWriteCiphers(SSLWriteCipher writeCipher,
boolean useChangeCipherSpec) throws IOException {
if (isClosed()) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.warning("outbound has closed, ignore outbound " +
"change_cipher_spec message");
recordLock.lock();
try {
if (isClosed()) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.warning("outbound has closed, ignore outbound " +
"change_cipher_spec message");
}
return;
}
return;
if (useChangeCipherSpec) {
encodeChangeCipherSpec();
}
/*
* Dispose of any intermediate state in the underlying cipher.
* For PKCS11 ciphers, this will release any attached sessions,
* and thus make finalization faster.
*
* Since MAC's doFinal() is called for every SSL/TLS packet, it's
* not necessary to do the same with MAC's.
*/
writeCipher.dispose();
this.writeCipher = writeCipher;
this.isFirstAppOutputRecord = true;
} finally {
recordLock.unlock();
}
if (useChangeCipherSpec) {
encodeChangeCipherSpec();
}
/*
* Dispose of any intermediate state in the underlying cipher.
* For PKCS11 ciphers, this will release any attached sessions,
* and thus make finalization faster.
*
* Since MAC's doFinal() is called for every SSL/TLS packet, it's
* not necessary to do the same with MAC's.
*/
writeCipher.dispose();
this.writeCipher = writeCipher;
this.isFirstAppOutputRecord = true;
}
// Change write ciphers using key_update handshake message.
synchronized void changeWriteCiphers(SSLWriteCipher writeCipher,
void changeWriteCiphers(SSLWriteCipher writeCipher,
byte keyUpdateRequest) throws IOException {
if (isClosed()) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.warning("outbound has closed, ignore outbound " +
"key_update handshake message");
recordLock.lock();
try {
if (isClosed()) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.warning("outbound has closed, ignore outbound " +
"key_update handshake message");
}
return;
}
return;
// encode the handshake message, KeyUpdate
byte[] hm = HANDSHAKE_MESSAGE_KEY_UPDATE.clone();
hm[hm.length - 1] = keyUpdateRequest;
encodeHandshake(hm, 0, hm.length);
flush();
// Dispose of any intermediate state in the underlying cipher.
writeCipher.dispose();
this.writeCipher = writeCipher;
this.isFirstAppOutputRecord = true;
} finally {
recordLock.unlock();
}
// encode the handshake message, KeyUpdate
byte[] hm = HANDSHAKE_MESSAGE_KEY_UPDATE.clone();
hm[hm.length - 1] = keyUpdateRequest;
encodeHandshake(hm, 0, hm.length);
flush();
// Dispose of any intermediate state in the underlying cipher.
writeCipher.dispose();
this.writeCipher = writeCipher;
this.isFirstAppOutputRecord = true;
}
synchronized void changePacketSize(int packetSize) {
this.packetSize = packetSize;
void changePacketSize(int packetSize) {
recordLock.lock();
try {
this.packetSize = packetSize;
} finally {
recordLock.unlock();
}
}
synchronized void changeFragmentSize(int fragmentSize) {
this.fragmentSize = fragmentSize;
void changeFragmentSize(int fragmentSize) {
recordLock.lock();
try {
this.fragmentSize = fragmentSize;
} finally {
recordLock.unlock();
}
}
synchronized int getMaxPacketSize() {
return packetSize;
int getMaxPacketSize() {
recordLock.lock();
try {
return packetSize;
} finally {
recordLock.unlock();
}
}
// apply to DTLS SSLEngine
@ -228,13 +271,18 @@ abstract class OutputRecord
}
@Override
public synchronized void close() throws IOException {
if (isClosed) {
return;
}
public void close() throws IOException {
recordLock.lock();
try {
if (isClosed) {
return;
}
isClosed = true;
writeCipher.dispose();
isClosed = true;
writeCipher.dispose();
} finally {
recordLock.unlock();
}
}
boolean isClosed() {

13
src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
View File

@ -30,6 +30,7 @@ import java.net.Socket;
import java.security.*;
import java.security.cert.*;
import java.util.*;
import java.util.concurrent.locks.ReentrantLock;
import javax.net.ssl.*;
import sun.security.action.GetPropertyAction;
import sun.security.provider.certpath.AlgorithmChecker;
@ -69,6 +70,8 @@ public abstract class SSLContextImpl extends SSLContextSpi {
private volatile StatusResponseManager statusResponseManager;
private final ReentrantLock contextLock = new ReentrantLock();
SSLContextImpl() {
ephemeralKeyManager = new EphemeralKeyManager();
clientCache = new SSLSessionContextImpl();
@ -230,11 +233,14 @@ public abstract class SSLContextImpl extends SSLContextSpi {
// Used for DTLS in server mode only.
HelloCookieManager getHelloCookieManager(ProtocolVersion protocolVersion) {
if (helloCookieManagerBuilder == null) {
synchronized (this) {
contextLock.lock();
try {
if (helloCookieManagerBuilder == null) {
helloCookieManagerBuilder =
new HelloCookieManager.Builder(secureRandom);
}
} finally {
contextLock.unlock();
}
}
@ -243,7 +249,8 @@ public abstract class SSLContextImpl extends SSLContextSpi {
StatusResponseManager getStatusResponseManager() {
if (serverEnableStapling && statusResponseManager == null) {
synchronized (this) {
contextLock.lock();
try {
if (statusResponseManager == null) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
SSLLogger.finest(
@ -251,6 +258,8 @@ public abstract class SSLContextImpl extends SSLContextSpi {
}
statusResponseManager = new StatusResponseManager();
}
} finally {
contextLock.unlock();
}
}

635
src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -33,6 +33,7 @@ import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.List;
import java.util.Map;
import java.util.concurrent.locks.ReentrantLock;
import java.util.function.BiFunction;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
@ -54,6 +55,7 @@ import javax.net.ssl.SSLSession;
final class SSLEngineImpl extends SSLEngine implements SSLTransport {
private final SSLContextImpl sslContext;
final TransportContext conContext;
private final ReentrantLock engineLock = new ReentrantLock();
/**
* Constructor for an SSLEngine from SSLContext, without
@ -93,57 +95,68 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
}
@Override
public synchronized void beginHandshake() throws SSLException {
if (conContext.isUnsureMode) {
throw new IllegalStateException(
"Client/Server mode has not yet been set.");
}
public void beginHandshake() throws SSLException {
engineLock.lock();
try {
conContext.kickstart();
} catch (IOException ioe) {
throw conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Couldn't kickstart handshaking", ioe);
} catch (Exception ex) { // including RuntimeException
throw conContext.fatal(Alert.INTERNAL_ERROR,
"Fail to begin handshake", ex);
if (conContext.isUnsureMode) {
throw new IllegalStateException(
"Client/Server mode has not yet been set.");
}
try {
conContext.kickstart();
} catch (IOException ioe) {
throw conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Couldn't kickstart handshaking", ioe);
} catch (Exception ex) { // including RuntimeException
throw conContext.fatal(Alert.INTERNAL_ERROR,
"Fail to begin handshake", ex);
}
} finally {
engineLock.unlock();
}
}
@Override
public synchronized SSLEngineResult wrap(ByteBuffer[] appData,
public SSLEngineResult wrap(ByteBuffer[] appData,
int offset, int length, ByteBuffer netData) throws SSLException {
return wrap(appData, offset, length, new ByteBuffer[]{ netData }, 0, 1);
}
// @Override
public synchronized SSLEngineResult wrap(
public SSLEngineResult wrap(
ByteBuffer[] srcs, int srcsOffset, int srcsLength,
ByteBuffer[] dsts, int dstsOffset, int dstsLength) throws SSLException {
if (conContext.isUnsureMode) {
throw new IllegalStateException(
"Client/Server mode has not yet been set.");
}
// See if the handshaker needs to report back some SSLException.
checkTaskThrown();
// check parameters
checkParams(srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
engineLock.lock();
try {
return writeRecord(
srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
} catch (SSLProtocolException spe) {
// may be an unexpected handshake message
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE, spe);
} catch (IOException ioe) {
throw conContext.fatal(Alert.INTERNAL_ERROR,
"problem wrapping app data", ioe);
} catch (Exception ex) { // including RuntimeException
throw conContext.fatal(Alert.INTERNAL_ERROR,
"Fail to wrap application data", ex);
if (conContext.isUnsureMode) {
throw new IllegalStateException(
"Client/Server mode has not yet been set.");
}
// See if the handshaker needs to report back some SSLException.
checkTaskThrown();
// check parameters
checkParams(srcs, srcsOffset, srcsLength,
dsts, dstsOffset, dstsLength);
try {
return writeRecord(
srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
} catch (SSLProtocolException spe) {
// may be an unexpected handshake message
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE, spe);
} catch (IOException ioe) {
throw conContext.fatal(Alert.INTERNAL_ERROR,
"problem wrapping app data", ioe);
} catch (Exception ex) { // including RuntimeException
throw conContext.fatal(Alert.INTERNAL_ERROR,
"Fail to wrap application data", ex);
}
} finally {
engineLock.unlock();
}
}
@ -428,47 +441,53 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
}
@Override
public synchronized SSLEngineResult unwrap(ByteBuffer src,
public SSLEngineResult unwrap(ByteBuffer src,
ByteBuffer[] dsts, int offset, int length) throws SSLException {
return unwrap(
new ByteBuffer[]{src}, 0, 1, dsts, offset, length);
}
// @Override
public synchronized SSLEngineResult unwrap(
public SSLEngineResult unwrap(
ByteBuffer[] srcs, int srcsOffset, int srcsLength,
ByteBuffer[] dsts, int dstsOffset, int dstsLength) throws SSLException {
if (conContext.isUnsureMode) {
throw new IllegalStateException(
"Client/Server mode has not yet been set.");
}
// See if the handshaker needs to report back some SSLException.
checkTaskThrown();
// check parameters
checkParams(srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
engineLock.lock();
try {
return readRecord(
srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
} catch (SSLProtocolException spe) {
// may be an unexpected handshake message
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
spe.getMessage(), spe);
} catch (IOException ioe) {
/*
* Don't reset position so it looks like we didn't
* consume anything. We did consume something, and it
* got us into this situation, so report that much back.
* Our days of consuming are now over anyway.
*/
throw conContext.fatal(Alert.INTERNAL_ERROR,
"problem unwrapping net record", ioe);
} catch (Exception ex) { // including RuntimeException
throw conContext.fatal(Alert.INTERNAL_ERROR,
"Fail to unwrap network record", ex);
if (conContext.isUnsureMode) {
throw new IllegalStateException(
"Client/Server mode has not yet been set.");
}
// See if the handshaker needs to report back some SSLException.
checkTaskThrown();
// check parameters
checkParams(srcs, srcsOffset, srcsLength,
dsts, dstsOffset, dstsLength);
try {
return readRecord(
srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
} catch (SSLProtocolException spe) {
// may be an unexpected handshake message
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
spe.getMessage(), spe);
} catch (IOException ioe) {
/*
* Don't reset position so it looks like we didn't
* consume anything. We did consume something, and it
* got us into this situation, so report that much back.
* Our days of consuming are now over anyway.
*/
throw conContext.fatal(Alert.INTERNAL_ERROR,
"problem unwrapping net record", ioe);
} catch (Exception ex) { // including RuntimeException
throw conContext.fatal(Alert.INTERNAL_ERROR,
"Fail to unwrap network record", ex);
}
} finally {
engineLock.unlock();
}
}
@ -703,61 +722,87 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
}
@Override
public synchronized Runnable getDelegatedTask() {
if (conContext.handshakeContext != null && // PRE or POST handshake
!conContext.handshakeContext.taskDelegated &&
!conContext.handshakeContext.delegatedActions.isEmpty()) {
conContext.handshakeContext.taskDelegated = true;
return new DelegatedTask(this);
public Runnable getDelegatedTask() {
engineLock.lock();
try {
if (conContext.handshakeContext != null && // PRE or POST handshake
!conContext.handshakeContext.taskDelegated &&
!conContext.handshakeContext.delegatedActions.isEmpty()) {
conContext.handshakeContext.taskDelegated = true;
return new DelegatedTask(this);
}
} finally {
engineLock.unlock();
}
return null;
}
@Override
public synchronized void closeInbound() throws SSLException {
if (isInboundDone()) {
return;
public void closeInbound() throws SSLException {
engineLock.lock();
try {
if (isInboundDone()) {
return;
}
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.finest("Closing inbound of SSLEngine");
}
// Is it ready to close inbound?
//
// No exception if the initial handshake is not started.
if (!conContext.isInputCloseNotified &&
(conContext.isNegotiated ||
conContext.handshakeContext != null)) {
throw conContext.fatal(Alert.INTERNAL_ERROR,
"closing inbound before receiving peer's close_notify");
}
conContext.closeInbound();
} finally {
engineLock.unlock();
}
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.finest("Closing inbound of SSLEngine");
}
// Is it ready to close inbound?
//
// No need to throw exception if the initial handshake is not started.
if (!conContext.isInputCloseNotified &&
(conContext.isNegotiated || conContext.handshakeContext != null)) {
throw conContext.fatal(Alert.INTERNAL_ERROR,
"closing inbound before receiving peer's close_notify");
}
conContext.closeInbound();
}
@Override
public synchronized boolean isInboundDone() {
return conContext.isInboundClosed();
public boolean isInboundDone() {
engineLock.lock();
try {
return conContext.isInboundClosed();
} finally {
engineLock.unlock();
}
}
@Override
public synchronized void closeOutbound() {
if (conContext.isOutboundClosed()) {
return;
}
public void closeOutbound() {
engineLock.lock();
try {
if (conContext.isOutboundClosed()) {
return;
}
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.finest("Closing outbound of SSLEngine");
}
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.finest("Closing outbound of SSLEngine");
}
conContext.closeOutbound();
conContext.closeOutbound();
} finally {
engineLock.unlock();
}
}
@Override
public synchronized boolean isOutboundDone() {
return conContext.isOutboundDone();
public boolean isOutboundDone() {
engineLock.lock();
try {
return conContext.isOutboundDone();
} finally {
engineLock.unlock();
}
}
@Override
@ -766,14 +811,24 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
}
@Override
public synchronized String[] getEnabledCipherSuites() {
return CipherSuite.namesOf(conContext.sslConfig.enabledCipherSuites);
public String[] getEnabledCipherSuites() {
engineLock.lock();
try {
return CipherSuite.namesOf(conContext.sslConfig.enabledCipherSuites);
} finally {
engineLock.unlock();
}
}
@Override
public synchronized void setEnabledCipherSuites(String[] suites) {
conContext.sslConfig.enabledCipherSuites =
CipherSuite.validValuesOf(suites);
public void setEnabledCipherSuites(String[] suites) {
engineLock.lock();
try {
conContext.sslConfig.enabledCipherSuites =
CipherSuite.validValuesOf(suites);
} finally {
engineLock.unlock();
}
}
@Override
@ -783,119 +838,214 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
}
@Override
public synchronized String[] getEnabledProtocols() {
return ProtocolVersion.toStringArray(
conContext.sslConfig.enabledProtocols);
}
@Override
public synchronized void setEnabledProtocols(String[] protocols) {
if (protocols == null) {
throw new IllegalArgumentException("Protocols cannot be null");
}
conContext.sslConfig.enabledProtocols =
ProtocolVersion.namesOf(protocols);
}
@Override
public synchronized SSLSession getSession() {
return conContext.conSession;
}
@Override
public synchronized SSLSession getHandshakeSession() {
return conContext.handshakeContext == null ?
null : conContext.handshakeContext.handshakeSession;
}
@Override
public synchronized SSLEngineResult.HandshakeStatus getHandshakeStatus() {
return conContext.getHandshakeStatus();
}
@Override
public synchronized void setUseClientMode(boolean mode) {
conContext.setUseClientMode(mode);
}
@Override
public synchronized boolean getUseClientMode() {
return conContext.sslConfig.isClientMode;
}
@Override
public synchronized void setNeedClientAuth(boolean need) {
conContext.sslConfig.clientAuthType =
(need ? ClientAuthType.CLIENT_AUTH_REQUIRED :
ClientAuthType.CLIENT_AUTH_NONE);
}
@Override
public synchronized boolean getNeedClientAuth() {
return (conContext.sslConfig.clientAuthType ==
ClientAuthType.CLIENT_AUTH_REQUIRED);
}
@Override
public synchronized void setWantClientAuth(boolean want) {
conContext.sslConfig.clientAuthType =
(want ? ClientAuthType.CLIENT_AUTH_REQUESTED :
ClientAuthType.CLIENT_AUTH_NONE);
}
@Override
public synchronized boolean getWantClientAuth() {
return (conContext.sslConfig.clientAuthType ==
ClientAuthType.CLIENT_AUTH_REQUESTED);
}
@Override
public synchronized void setEnableSessionCreation(boolean flag) {
conContext.sslConfig.enableSessionCreation = flag;
}
@Override
public synchronized boolean getEnableSessionCreation() {
return conContext.sslConfig.enableSessionCreation;
}
@Override
public synchronized SSLParameters getSSLParameters() {
return conContext.sslConfig.getSSLParameters();
}
@Override
public synchronized void setSSLParameters(SSLParameters params) {
conContext.sslConfig.setSSLParameters(params);
if (conContext.sslConfig.maximumPacketSize != 0) {
conContext.outputRecord.changePacketSize(
conContext.sslConfig.maximumPacketSize);
public String[] getEnabledProtocols() {
engineLock.lock();
try {
return ProtocolVersion.toStringArray(
conContext.sslConfig.enabledProtocols);
} finally {
engineLock.unlock();
}
}
@Override
public synchronized String getApplicationProtocol() {
return conContext.applicationProtocol;
public void setEnabledProtocols(String[] protocols) {
engineLock.lock();
try {
if (protocols == null) {
throw new IllegalArgumentException("Protocols cannot be null");
}
conContext.sslConfig.enabledProtocols =
ProtocolVersion.namesOf(protocols);
} finally {
engineLock.unlock();
}
}
@Override
public synchronized String getHandshakeApplicationProtocol() {
return conContext.handshakeContext == null ?
null : conContext.handshakeContext.applicationProtocol;
public SSLSession getSession() {
engineLock.lock();
try {
return conContext.conSession;
} finally {
engineLock.unlock();
}
}
@Override
public synchronized void setHandshakeApplicationProtocolSelector(
public SSLSession getHandshakeSession() {
engineLock.lock();
try {
return conContext.handshakeContext == null ?
null : conContext.handshakeContext.handshakeSession;
} finally {
engineLock.unlock();
}
}
@Override
public SSLEngineResult.HandshakeStatus getHandshakeStatus() {
engineLock.lock();
try {
return conContext.getHandshakeStatus();
} finally {
engineLock.unlock();
}
}
@Override
public void setUseClientMode(boolean mode) {
engineLock.lock();
try {
conContext.setUseClientMode(mode);
} finally {
engineLock.unlock();
}
}
@Override
public boolean getUseClientMode() {
engineLock.lock();
try {
return conContext.sslConfig.isClientMode;
} finally {
engineLock.unlock();
}
}
@Override
public void setNeedClientAuth(boolean need) {
engineLock.lock();
try {
conContext.sslConfig.clientAuthType =
(need ? ClientAuthType.CLIENT_AUTH_REQUIRED :
ClientAuthType.CLIENT_AUTH_NONE);
} finally {
engineLock.unlock();
}
}
@Override
public boolean getNeedClientAuth() {
engineLock.lock();
try {
return (conContext.sslConfig.clientAuthType ==
ClientAuthType.CLIENT_AUTH_REQUIRED);
} finally {
engineLock.unlock();
}
}
@Override
public void setWantClientAuth(boolean want) {
engineLock.lock();
try {
conContext.sslConfig.clientAuthType =
(want ? ClientAuthType.CLIENT_AUTH_REQUESTED :
ClientAuthType.CLIENT_AUTH_NONE);
} finally {
engineLock.unlock();
}
}
@Override
public boolean getWantClientAuth() {
engineLock.lock();
try {
return (conContext.sslConfig.clientAuthType ==
ClientAuthType.CLIENT_AUTH_REQUESTED);
} finally {
engineLock.unlock();
}
}
@Override
public void setEnableSessionCreation(boolean flag) {
engineLock.lock();
try {
conContext.sslConfig.enableSessionCreation = flag;
} finally {
engineLock.unlock();
}
}
@Override
public boolean getEnableSessionCreation() {
engineLock.lock();
try {
return conContext.sslConfig.enableSessionCreation;
} finally {
engineLock.unlock();
}
}
@Override
public SSLParameters getSSLParameters() {
engineLock.lock();
try {
return conContext.sslConfig.getSSLParameters();
} finally {
engineLock.unlock();
}
}
@Override
public void setSSLParameters(SSLParameters params) {
engineLock.lock();
try {
conContext.sslConfig.setSSLParameters(params);
if (conContext.sslConfig.maximumPacketSize != 0) {
conContext.outputRecord.changePacketSize(
conContext.sslConfig.maximumPacketSize);
}
} finally {
engineLock.unlock();
}
}
@Override
public String getApplicationProtocol() {
engineLock.lock();
try {
return conContext.applicationProtocol;
} finally {
engineLock.unlock();
}
}
@Override
public String getHandshakeApplicationProtocol() {
engineLock.lock();
try {
return conContext.handshakeContext == null ?
null : conContext.handshakeContext.applicationProtocol;
} finally {
engineLock.unlock();
}
}
@Override
public void setHandshakeApplicationProtocolSelector(
BiFunction<SSLEngine, List<String>, String> selector) {
conContext.sslConfig.engineAPSelector = selector;
engineLock.lock();
try {
conContext.sslConfig.engineAPSelector = selector;
} finally {
engineLock.unlock();
}
}
@Override
public synchronized BiFunction<SSLEngine, List<String>, String>
public BiFunction<SSLEngine, List<String>, String>
getHandshakeApplicationProtocolSelector() {
return conContext.sslConfig.engineAPSelector;
engineLock.lock();
try {
return conContext.sslConfig.engineAPSelector;
} finally {
engineLock.unlock();
}
}
@Override
@ -909,38 +1059,42 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
* null, report back the Exception that happened in the delegated
* task(s).
*/
private synchronized void checkTaskThrown() throws SSLException {
private void checkTaskThrown() throws SSLException {
Exception exc = null;
// First check the handshake context.
HandshakeContext hc = conContext.handshakeContext;
if ((hc != null) && (hc.delegatedThrown != null)) {
exc = hc.delegatedThrown;
hc.delegatedThrown = null;
}
/*
* hc.delegatedThrown and conContext.delegatedThrown are most likely
* the same, but it's possible we could have had a non-fatal
* exception and thus the new HandshakeContext is still valid
* (alert warning). If so, then we may have a secondary exception
* waiting to be reported from the TransportContext, so we will
* need to clear that on a successive call. Otherwise, clear it now.
*/
if (conContext.delegatedThrown != null) {
if (exc != null) {
// hc object comparison
if (conContext.delegatedThrown == exc) {
// clear if/only if both are the same
conContext.delegatedThrown = null;
} // otherwise report the hc delegatedThrown
} else {
// Nothing waiting in HandshakeContext, but one is in the
// TransportContext.
exc = conContext.delegatedThrown;
conContext.delegatedThrown = null;
engineLock.lock();
try {
// First check the handshake context.
HandshakeContext hc = conContext.handshakeContext;
if ((hc != null) && (hc.delegatedThrown != null)) {
exc = hc.delegatedThrown;
hc.delegatedThrown = null;
}
/*
* hc.delegatedThrown and conContext.delegatedThrown are most
* likely the same, but it's possible we could have had a non-fatal
* exception and thus the new HandshakeContext is still valid
* (alert warning). If so, then we may have a secondary exception
* waiting to be reported from the TransportContext, so we will
* need to clear that on a successive call. Otherwise, clear it now.
*/
if (conContext.delegatedThrown != null) {
if (exc != null) {
// hc object comparison
if (conContext.delegatedThrown == exc) {
// clear if/only if both are the same
conContext.delegatedThrown = null;
} // otherwise report the hc delegatedThrown
} else {
// Nothing waiting in HandshakeContext, but one is in the
// TransportContext.
exc = conContext.delegatedThrown;
conContext.delegatedThrown = null;
}
}
} finally {
engineLock.unlock();
}
// Anything to report?
@ -998,7 +1152,8 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
@Override
public void run() {
synchronized (engine) {
engine.engineLock.lock();
try {
HandshakeContext hc = engine.conContext.handshakeContext;
if (hc == null || hc.delegatedActions.isEmpty()) {
return;
@ -1055,6 +1210,8 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
if (hc != null) {
hc.taskDelegated = false;
}
} finally {
engine.engineLock.unlock();
}
}

19
src/java.base/share/classes/sun/security/ssl/SSLEngineOutputRecord.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -51,13 +51,18 @@ final class SSLEngineOutputRecord extends OutputRecord implements SSLRecord {
}
@Override
public synchronized void close() throws IOException {
if (!isClosed) {
if (fragmenter != null && fragmenter.hasAlert()) {
isCloseWaiting = true;
} else {
super.close();
public void close() throws IOException {
recordLock.lock();
try {
if (!isClosed) {
if (fragmenter != null && fragmenter.hasAlert()) {
isCloseWaiting = true;
} else {
super.close();
}
}
} finally {
recordLock.unlock();
}
}

210
src/java.base/share/classes/sun/security/ssl/SSLServerSocketImpl.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -28,6 +28,7 @@ package sun.security.ssl;
import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.util.concurrent.locks.ReentrantLock;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLServerSocket;
@ -56,6 +57,7 @@ import javax.net.ssl.SSLServerSocket;
final class SSLServerSocketImpl extends SSLServerSocket {
private final SSLContextImpl sslContext;
private final SSLConfiguration sslConfig;
private final ReentrantLock serverSocketLock = new ReentrantLock();
SSLServerSocketImpl(SSLContextImpl sslContext) throws IOException {
@ -84,14 +86,24 @@ final class SSLServerSocketImpl extends SSLServerSocket {
}
@Override
public synchronized String[] getEnabledCipherSuites() {
return CipherSuite.namesOf(sslConfig.enabledCipherSuites);
public String[] getEnabledCipherSuites() {
serverSocketLock.lock();
try {
return CipherSuite.namesOf(sslConfig.enabledCipherSuites);
} finally {
serverSocketLock.unlock();
}
}
@Override
public synchronized void setEnabledCipherSuites(String[] suites) {
sslConfig.enabledCipherSuites =
CipherSuite.validValuesOf(suites);
public void setEnabledCipherSuites(String[] suites) {
serverSocketLock.lock();
try {
sslConfig.enabledCipherSuites =
CipherSuite.validValuesOf(suites);
} finally {
serverSocketLock.unlock();
}
}
@Override
@ -106,93 +118,153 @@ final class SSLServerSocketImpl extends SSLServerSocket {
}
@Override
public synchronized String[] getEnabledProtocols() {
return ProtocolVersion.toStringArray(sslConfig.enabledProtocols);
}
@Override
public synchronized void setEnabledProtocols(String[] protocols) {
if (protocols == null) {
throw new IllegalArgumentException("Protocols cannot be null");
public String[] getEnabledProtocols() {
serverSocketLock.lock();
try {
return ProtocolVersion.toStringArray(sslConfig.enabledProtocols);
} finally {
serverSocketLock.unlock();
}
sslConfig.enabledProtocols = ProtocolVersion.namesOf(protocols);
}
@Override
public synchronized void setNeedClientAuth(boolean need) {
sslConfig.clientAuthType =
(need ? ClientAuthType.CLIENT_AUTH_REQUIRED :
ClientAuthType.CLIENT_AUTH_NONE);
public void setEnabledProtocols(String[] protocols) {
serverSocketLock.lock();
try {
if (protocols == null) {
throw new IllegalArgumentException("Protocols cannot be null");
}
sslConfig.enabledProtocols = ProtocolVersion.namesOf(protocols);
} finally {
serverSocketLock.unlock();
}
}
@Override
public synchronized boolean getNeedClientAuth() {
return (sslConfig.clientAuthType ==
public void setNeedClientAuth(boolean need) {
serverSocketLock.lock();
try {
sslConfig.clientAuthType =
(need ? ClientAuthType.CLIENT_AUTH_REQUIRED :
ClientAuthType.CLIENT_AUTH_NONE);
} finally {
serverSocketLock.unlock();
}
}
@Override
public boolean getNeedClientAuth() {
serverSocketLock.lock();
try {
return (sslConfig.clientAuthType ==
ClientAuthType.CLIENT_AUTH_REQUIRED);
}
@Override
public synchronized void setWantClientAuth(boolean want) {
sslConfig.clientAuthType =
(want ? ClientAuthType.CLIENT_AUTH_REQUESTED :
ClientAuthType.CLIENT_AUTH_NONE);
}
@Override
public synchronized boolean getWantClientAuth() {
return (sslConfig.clientAuthType ==
ClientAuthType.CLIENT_AUTH_REQUESTED);
}
@Override
public synchronized void setUseClientMode(boolean useClientMode) {
/*
* If we need to change the client mode and the enabled
* protocols and cipher suites haven't specifically been
* set by the user, change them to the corresponding
* default ones.
*/
if (sslConfig.isClientMode != useClientMode) {
if (sslContext.isDefaultProtocolVesions(
sslConfig.enabledProtocols)) {
sslConfig.enabledProtocols =
sslContext.getDefaultProtocolVersions(!useClientMode);
}
if (sslContext.isDefaultCipherSuiteList(
sslConfig.enabledCipherSuites)) {
sslConfig.enabledCipherSuites =
sslContext.getDefaultCipherSuites(!useClientMode);
}
sslConfig.isClientMode = useClientMode;
} finally {
serverSocketLock.unlock();
}
}
@Override
public synchronized boolean getUseClientMode() {
return sslConfig.isClientMode;
public void setWantClientAuth(boolean want) {
serverSocketLock.lock();
try {
sslConfig.clientAuthType =
(want ? ClientAuthType.CLIENT_AUTH_REQUESTED :
ClientAuthType.CLIENT_AUTH_NONE);
} finally {
serverSocketLock.unlock();
}
}
@Override
public synchronized void setEnableSessionCreation(boolean flag) {
sslConfig.enableSessionCreation = flag;
public boolean getWantClientAuth() {
serverSocketLock.lock();
try {
return (sslConfig.clientAuthType ==
ClientAuthType.CLIENT_AUTH_REQUESTED);
} finally {
serverSocketLock.unlock();
}
}
@Override
public synchronized boolean getEnableSessionCreation() {
return sslConfig.enableSessionCreation;
public void setUseClientMode(boolean useClientMode) {
serverSocketLock.lock();
try {
/*
* If we need to change the client mode and the enabled
* protocols and cipher suites haven't specifically been
* set by the user, change them to the corresponding
* default ones.
*/
if (sslConfig.isClientMode != useClientMode) {
if (sslContext.isDefaultProtocolVesions(
sslConfig.enabledProtocols)) {
sslConfig.enabledProtocols =
sslContext.getDefaultProtocolVersions(!useClientMode);
}
if (sslContext.isDefaultCipherSuiteList(
sslConfig.enabledCipherSuites)) {
sslConfig.enabledCipherSuites =
sslContext.getDefaultCipherSuites(!useClientMode);
}
sslConfig.isClientMode = useClientMode;
}
} finally {
serverSocketLock.unlock();
}
}
@Override
public synchronized SSLParameters getSSLParameters() {
return sslConfig.getSSLParameters();
public boolean getUseClientMode() {
serverSocketLock.lock();
try {
return sslConfig.isClientMode;
} finally {
serverSocketLock.unlock();
}
}
@Override
public synchronized void setSSLParameters(SSLParameters params) {
sslConfig.setSSLParameters(params);
public void setEnableSessionCreation(boolean flag) {
serverSocketLock.lock();
try {
sslConfig.enableSessionCreation = flag;
} finally {
serverSocketLock.unlock();
}
}
@Override
public boolean getEnableSessionCreation() {
serverSocketLock.lock();
try {
return sslConfig.enableSessionCreation;
} finally {
serverSocketLock.unlock();
}
}
@Override
public SSLParameters getSSLParameters() {
serverSocketLock.lock();
try {
return sslConfig.getSSLParameters();
} finally {
serverSocketLock.unlock();
}
}
@Override
public void setSSLParameters(SSLParameters params) {
serverSocketLock.lock();
try {
sslConfig.setSSLParameters(params);
} finally {
serverSocketLock.unlock();
}
}
@Override

223
src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java
View File

@ -38,6 +38,7 @@ import java.util.Enumeration;
import java.util.List;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentLinkedQueue;
import java.util.concurrent.locks.ReentrantLock;
import javax.crypto.SecretKey;
import javax.net.ssl.ExtendedSSLSession;
import javax.net.ssl.SNIServerName;
@ -133,7 +134,9 @@ final class SSLSessionImpl extends ExtendedSSLSession {
// The endpoint identification algorithm used to check certificates
// in this session.
private final String identificationProtocol;
private final String identificationProtocol;
private final ReentrantLock sessionLock = new ReentrantLock();
/*
* Create a new non-rejoinable session, using the default (null)
@ -289,15 +292,22 @@ final class SSLSessionImpl extends ExtendedSSLSession {
return resumptionMasterSecret;
}
synchronized SecretKey getPreSharedKey() {
return preSharedKey;
SecretKey getPreSharedKey() {
sessionLock.lock();
try {
return preSharedKey;
} finally {
sessionLock.unlock();
}
}
synchronized SecretKey consumePreSharedKey() {
SecretKey consumePreSharedKey() {
sessionLock.lock();
try {
return preSharedKey;
} finally {
preSharedKey = null;
sessionLock.unlock();
}
}
@ -313,11 +323,13 @@ final class SSLSessionImpl extends ExtendedSSLSession {
* be used once. This method will return the identity and then clear it
* so it cannot be used again.
*/
synchronized byte[] consumePskIdentity() {
byte[] consumePskIdentity() {
sessionLock.lock();
try {
return pskIdentity;
} finally {
pskIdentity = null;
sessionLock.unlock();
}
}
@ -393,8 +405,13 @@ final class SSLSessionImpl extends ExtendedSSLSession {
}
@Override
public synchronized boolean isValid() {
return isRejoinable();
public boolean isValid() {
sessionLock.lock();
try {
return isRejoinable();
} finally {
sessionLock.unlock();
}
}
/**
@ -777,29 +794,35 @@ final class SSLSessionImpl extends ExtendedSSLSession {
* no connections will be able to rejoin this session.
*/
@Override
public synchronized void invalidate() {
//
// Can't invalidate the NULL session -- this would be
// attempted when we get a handshaking error on a brand
// new connection, with no "real" session yet.
//
if (this == nullSession) {
return;
}
public void invalidate() {
sessionLock.lock();
try {
//
// Can't invalidate the NULL session -- this would be
// attempted when we get a handshaking error on a brand
// new connection, with no "real" session yet.
//
if (this == nullSession) {
return;
}
if (context != null) {
context.remove(sessionId);
context = null;
}
if (invalidated) {
return;
}
invalidated = true;
if (SSLLogger.isOn && SSLLogger.isOn("session")) {
SSLLogger.finest("Invalidated session: " + this);
}
for (SSLSessionImpl child : childSessions) {
child.invalidate();
if (context != null) {
context.remove(sessionId);
context = null;
}
if (invalidated) {
return;
}
invalidated = true;
if (SSLLogger.isOn && SSLLogger.isOn("session")) {
SSLLogger.finest("Invalidated session: " + this);
}
for (SSLSessionImpl child : childSessions) {
child.invalidate();
}
} finally {
sessionLock.unlock();
}
}
@ -912,8 +935,13 @@ final class SSLSessionImpl extends ExtendedSSLSession {
* Expand the buffer size of both SSL/TLS network packet and
* application data.
*/
protected synchronized void expandBufferSizes() {
acceptLargeFragments = true;
protected void expandBufferSizes() {
sessionLock.lock();
try {
acceptLargeFragments = true;
} finally {
sessionLock.unlock();
}
}
/**
@ -921,30 +949,35 @@ final class SSLSessionImpl extends ExtendedSSLSession {
* when using this session.
*/
@Override
public synchronized int getPacketBufferSize() {
// Use the bigger packet size calculated from maximumPacketSize
// and negotiatedMaxFragLen.
int packetSize = 0;
if (negotiatedMaxFragLen > 0) {
packetSize = cipherSuite.calculatePacketSize(
negotiatedMaxFragLen, protocolVersion,
protocolVersion.isDTLS);
}
public int getPacketBufferSize() {
sessionLock.lock();
try {
// Use the bigger packet size calculated from maximumPacketSize
// and negotiatedMaxFragLen.
int packetSize = 0;
if (negotiatedMaxFragLen > 0) {
packetSize = cipherSuite.calculatePacketSize(
negotiatedMaxFragLen, protocolVersion,
protocolVersion.isDTLS);
}
if (maximumPacketSize > 0) {
return (maximumPacketSize > packetSize) ?
maximumPacketSize : packetSize;
}
if (maximumPacketSize > 0) {
return (maximumPacketSize > packetSize) ?
maximumPacketSize : packetSize;
}
if (packetSize != 0) {
return packetSize;
}
if (packetSize != 0) {
return packetSize;
}
if (protocolVersion.isDTLS) {
return DTLSRecord.maxRecordSize;
} else {
return acceptLargeFragments ?
SSLRecord.maxLargeRecordSize : SSLRecord.maxRecordSize;
if (protocolVersion.isDTLS) {
return DTLSRecord.maxRecordSize;
} else {
return acceptLargeFragments ?
SSLRecord.maxLargeRecordSize : SSLRecord.maxRecordSize;
}
} finally {
sessionLock.unlock();
}
}
@ -953,31 +986,36 @@ final class SSLSessionImpl extends ExtendedSSLSession {
* expected when using this session.
*/
@Override
public synchronized int getApplicationBufferSize() {
// Use the bigger fragment size calculated from maximumPacketSize
// and negotiatedMaxFragLen.
int fragmentSize = 0;
if (maximumPacketSize > 0) {
fragmentSize = cipherSuite.calculateFragSize(
maximumPacketSize, protocolVersion,
protocolVersion.isDTLS);
}
public int getApplicationBufferSize() {
sessionLock.lock();
try {
// Use the bigger fragment size calculated from maximumPacketSize
// and negotiatedMaxFragLen.
int fragmentSize = 0;
if (maximumPacketSize > 0) {
fragmentSize = cipherSuite.calculateFragSize(
maximumPacketSize, protocolVersion,
protocolVersion.isDTLS);
}
if (negotiatedMaxFragLen > 0) {
return (negotiatedMaxFragLen > fragmentSize) ?
negotiatedMaxFragLen : fragmentSize;
}
if (negotiatedMaxFragLen > 0) {
return (negotiatedMaxFragLen > fragmentSize) ?
negotiatedMaxFragLen : fragmentSize;
}
if (fragmentSize != 0) {
return fragmentSize;
}
if (fragmentSize != 0) {
return fragmentSize;
}
if (protocolVersion.isDTLS) {
return Record.maxDataSize;
} else {
int maxPacketSize = acceptLargeFragments ?
SSLRecord.maxLargeRecordSize : SSLRecord.maxRecordSize;
return (maxPacketSize - SSLRecord.headerSize);
if (protocolVersion.isDTLS) {
return Record.maxDataSize;
} else {
int maxPacketSize = acceptLargeFragments ?
SSLRecord.maxLargeRecordSize : SSLRecord.maxRecordSize;
return (maxPacketSize - SSLRecord.headerSize);
}
} finally {
sessionLock.unlock();
}
}
@ -989,10 +1027,14 @@ final class SSLSessionImpl extends ExtendedSSLSession {
* the negotiated maximum fragment length, or {@code -1} if
* no such length has been negotiated.
*/
synchronized void setNegotiatedMaxFragSize(
void setNegotiatedMaxFragSize(
int negotiatedMaxFragLen) {
this.negotiatedMaxFragLen = negotiatedMaxFragLen;
sessionLock.lock();
try {
this.negotiatedMaxFragLen = negotiatedMaxFragLen;
} finally {
sessionLock.unlock();
}
}
/**
@ -1002,16 +1044,31 @@ final class SSLSessionImpl extends ExtendedSSLSession {
* @return the negotiated maximum fragment length, or {@code -1} if
* no such length has been negotiated.
*/
synchronized int getNegotiatedMaxFragSize() {
return negotiatedMaxFragLen;
int getNegotiatedMaxFragSize() {
sessionLock.lock();
try {
return negotiatedMaxFragLen;
} finally {
sessionLock.unlock();
}
}
synchronized void setMaximumPacketSize(int maximumPacketSize) {
this.maximumPacketSize = maximumPacketSize;
void setMaximumPacketSize(int maximumPacketSize) {
sessionLock.lock();
try {
this.maximumPacketSize = maximumPacketSize;
} finally {
sessionLock.unlock();
}
}
synchronized int getMaximumPacketSize() {
return maximumPacketSize;
int getMaximumPacketSize() {
sessionLock.lock();
try {
return maximumPacketSize;
} finally {
sessionLock.unlock();
}
}
/**

422
src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java
View File

@ -38,6 +38,7 @@ import java.net.SocketException;
import java.net.UnknownHostException;
import java.nio.ByteBuffer;
import java.util.List;
import java.util.concurrent.locks.ReentrantLock;
import java.util.function.BiFunction;
import javax.net.ssl.HandshakeCompletedListener;
import javax.net.ssl.SSLException;
@ -84,6 +85,9 @@ public final class SSLSocketImpl
private boolean isConnected = false;
private volatile boolean tlsIsClosed = false;
private final ReentrantLock socketLock = new ReentrantLock();
private final ReentrantLock handshakeLock = new ReentrantLock();
/*
* Is the local name service trustworthy?
*
@ -292,14 +296,25 @@ public final class SSLSocketImpl
}
@Override
public synchronized String[] getEnabledCipherSuites() {
return CipherSuite.namesOf(conContext.sslConfig.enabledCipherSuites);
public String[] getEnabledCipherSuites() {
socketLock.lock();
try {
return CipherSuite.namesOf(
conContext.sslConfig.enabledCipherSuites);
} finally {
socketLock.unlock();
}
}
@Override
public synchronized void setEnabledCipherSuites(String[] suites) {
conContext.sslConfig.enabledCipherSuites =
CipherSuite.validValuesOf(suites);
public void setEnabledCipherSuites(String[] suites) {
socketLock.lock();
try {
conContext.sslConfig.enabledCipherSuites =
CipherSuite.validValuesOf(suites);
} finally {
socketLock.unlock();
}
}
@Override
@ -309,19 +324,29 @@ public final class SSLSocketImpl
}
@Override
public synchronized String[] getEnabledProtocols() {
return ProtocolVersion.toStringArray(
conContext.sslConfig.enabledProtocols);
public String[] getEnabledProtocols() {
socketLock.lock();
try {
return ProtocolVersion.toStringArray(
conContext.sslConfig.enabledProtocols);
} finally {
socketLock.unlock();
}
}
@Override
public synchronized void setEnabledProtocols(String[] protocols) {
public void setEnabledProtocols(String[] protocols) {
if (protocols == null) {
throw new IllegalArgumentException("Protocols cannot be null");
}
conContext.sslConfig.enabledProtocols =
ProtocolVersion.namesOf(protocols);
socketLock.lock();
try {
conContext.sslConfig.enabledProtocols =
ProtocolVersion.namesOf(protocols);
} finally {
socketLock.unlock();
}
}
@Override
@ -341,29 +366,44 @@ public final class SSLSocketImpl
}
@Override
public synchronized SSLSession getHandshakeSession() {
return conContext.handshakeContext == null ?
null : conContext.handshakeContext.handshakeSession;
public SSLSession getHandshakeSession() {
socketLock.lock();
try {
return conContext.handshakeContext == null ?
null : conContext.handshakeContext.handshakeSession;
} finally {
socketLock.unlock();
}
}
@Override
public synchronized void addHandshakeCompletedListener(
public void addHandshakeCompletedListener(
HandshakeCompletedListener listener) {
if (listener == null) {
throw new IllegalArgumentException("listener is null");
}
conContext.sslConfig.addHandshakeCompletedListener(listener);
socketLock.lock();
try {
conContext.sslConfig.addHandshakeCompletedListener(listener);
} finally {
socketLock.unlock();
}
}
@Override
public synchronized void removeHandshakeCompletedListener(
public void removeHandshakeCompletedListener(
HandshakeCompletedListener listener) {
if (listener == null) {
throw new IllegalArgumentException("listener is null");
}
conContext.sslConfig.removeHandshakeCompletedListener(listener);
socketLock.lock();
try {
conContext.sslConfig.removeHandshakeCompletedListener(listener);
} finally {
socketLock.unlock();
}
}
@Override
@ -377,7 +417,8 @@ public final class SSLSocketImpl
throw new SocketException("Socket has been closed or broken");
}
synchronized (conContext) { // handshake lock
handshakeLock.lock();
try {
// double check the context status
if (conContext.isBroken || conContext.isInboundClosed() ||
conContext.isOutboundClosed()) {
@ -400,53 +441,95 @@ public final class SSLSocketImpl
} catch (Exception oe) { // including RuntimeException
handleException(oe);
}
} finally {
handshakeLock.unlock();
}
}
@Override
public synchronized void setUseClientMode(boolean mode) {
conContext.setUseClientMode(mode);
public void setUseClientMode(boolean mode) {
socketLock.lock();
try {
conContext.setUseClientMode(mode);
} finally {
socketLock.unlock();
}
}
@Override
public synchronized boolean getUseClientMode() {
return conContext.sslConfig.isClientMode;
public boolean getUseClientMode() {
socketLock.lock();
try {
return conContext.sslConfig.isClientMode;
} finally {
socketLock.unlock();
}
}
@Override
public synchronized void setNeedClientAuth(boolean need) {
conContext.sslConfig.clientAuthType =
(need ? ClientAuthType.CLIENT_AUTH_REQUIRED :
ClientAuthType.CLIENT_AUTH_NONE);
public void setNeedClientAuth(boolean need) {
socketLock.lock();
try {
conContext.sslConfig.clientAuthType =
(need ? ClientAuthType.CLIENT_AUTH_REQUIRED :
ClientAuthType.CLIENT_AUTH_NONE);
} finally {
socketLock.unlock();
}
}
@Override
public synchronized boolean getNeedClientAuth() {
return (conContext.sslConfig.clientAuthType ==
public boolean getNeedClientAuth() {
socketLock.lock();
try {
return (conContext.sslConfig.clientAuthType ==
ClientAuthType.CLIENT_AUTH_REQUIRED);
} finally {
socketLock.unlock();
}
}
@Override
public synchronized void setWantClientAuth(boolean want) {
conContext.sslConfig.clientAuthType =
(want ? ClientAuthType.CLIENT_AUTH_REQUESTED :
ClientAuthType.CLIENT_AUTH_NONE);
public void setWantClientAuth(boolean want) {
socketLock.lock();
try {
conContext.sslConfig.clientAuthType =
(want ? ClientAuthType.CLIENT_AUTH_REQUESTED :
ClientAuthType.CLIENT_AUTH_NONE);
} finally {
socketLock.unlock();
}
}
@Override
public synchronized boolean getWantClientAuth() {
return (conContext.sslConfig.clientAuthType ==
public boolean getWantClientAuth() {
socketLock.lock();
try {
return (conContext.sslConfig.clientAuthType ==
ClientAuthType.CLIENT_AUTH_REQUESTED);
} finally {
socketLock.unlock();
}
}
@Override
public synchronized void setEnableSessionCreation(boolean flag) {
conContext.sslConfig.enableSessionCreation = flag;
public void setEnableSessionCreation(boolean flag) {
socketLock.lock();
try {
conContext.sslConfig.enableSessionCreation = flag;
} finally {
socketLock.unlock();
}
}
@Override
public synchronized boolean getEnableSessionCreation() {
return conContext.sslConfig.enableSessionCreation;
public boolean getEnableSessionCreation() {
socketLock.lock();
try {
return conContext.sslConfig.enableSessionCreation;
} finally {
socketLock.unlock();
}
}
@Override
@ -535,8 +618,9 @@ public final class SSLSocketImpl
// Need a lock here so that the user_canceled alert and the
// close_notify alert can be delivered together.
conContext.outputRecord.recordLock.lock();
try {
synchronized (conContext.outputRecord) {
try {
// send a user_canceled alert if needed.
if (useUserCanceled) {
conContext.warning(Alert.USER_CANCELED);
@ -544,15 +628,17 @@ public final class SSLSocketImpl
// send a close_notify alert
conContext.warning(Alert.CLOSE_NOTIFY);
} finally {
if (!conContext.isOutboundClosed()) {
conContext.outputRecord.close();
}
if ((autoClose || !isLayered()) && !super.isOutputShutdown()) {
super.shutdownOutput();
}
}
} finally {
if (!conContext.isOutboundClosed()) {
conContext.outputRecord.close();
}
if ((autoClose || !isLayered()) && !super.isOutputShutdown()) {
super.shutdownOutput();
}
conContext.outputRecord.recordLock.unlock();
}
if (!isInputShutdown()) {
@ -681,20 +767,25 @@ public final class SSLSocketImpl
}
@Override
public synchronized InputStream getInputStream() throws IOException {
if (isClosed()) {
throw new SocketException("Socket is closed");
}
public InputStream getInputStream() throws IOException {
socketLock.lock();
try {
if (isClosed()) {
throw new SocketException("Socket is closed");
}
if (!isConnected) {
throw new SocketException("Socket is not connected");
}
if (!isConnected) {
throw new SocketException("Socket is not connected");
}
if (conContext.isInboundClosed() || isInputShutdown()) {
throw new SocketException("Socket input is already shutdown");
}
if (conContext.isInboundClosed() || isInputShutdown()) {
throw new SocketException("Socket input is already shutdown");
}
return appInput;
return appInput;
} finally {
socketLock.unlock();
}
}
private void ensureNegotiated() throws IOException {
@ -703,7 +794,8 @@ public final class SSLSocketImpl
return;
}
synchronized (conContext) { // handshake lock
handshakeLock.lock();
try {
// double check the context status
if (conContext.isNegotiated || conContext.isBroken ||
conContext.isInboundClosed() ||
@ -712,6 +804,8 @@ public final class SSLSocketImpl
}
startHandshake();
} finally {
handshakeLock.unlock();
}
}
@ -729,6 +823,9 @@ public final class SSLSocketImpl
// Is application data available in the stream?
private volatile boolean appDataIsAvailable;
// reading lock
private final ReentrantLock readLock = new ReentrantLock();
AppInputStream() {
this.appDataIsAvailable = false;
this.buffer = ByteBuffer.allocate(4096);
@ -807,7 +904,8 @@ public final class SSLSocketImpl
//
// Note that the receiving and processing of post-handshake message
// are also synchronized with the read lock.
synchronized (this) {
readLock.lock();
try {
int remains = available();
if (remains > 0) {
int howmany = Math.min(remains, len);
@ -839,6 +937,8 @@ public final class SSLSocketImpl
// dummy for compiler
return -1;
}
} finally {
readLock.unlock();
}
}
@ -850,19 +950,24 @@ public final class SSLSocketImpl
* things simpler.
*/
@Override
public synchronized long skip(long n) throws IOException {
public long skip(long n) throws IOException {
// dummy array used to implement skip()
byte[] skipArray = new byte[256];
long skipped = 0;
while (n > 0) {
int len = (int)Math.min(n, skipArray.length);
int r = read(skipArray, 0, len);
if (r <= 0) {
break;
readLock.lock();
try {
while (n > 0) {
int len = (int)Math.min(n, skipArray.length);
int r = read(skipArray, 0, len);
if (r <= 0) {
break;
}
n -= r;
skipped += r;
}
n -= r;
skipped += r;
} finally {
readLock.unlock();
}
return skipped;
@ -910,8 +1015,18 @@ public final class SSLSocketImpl
* Try the best to use up the input records so as to close the
* socket gracefully, without impact the performance too much.
*/
private synchronized void deplete() {
if (!conContext.isInboundClosed()) {
private void deplete() {
if (conContext.isInboundClosed()) {
return;
}
readLock.lock();
try {
// double check
if (conContext.isInboundClosed()) {
return;
}
if (!(conContext.inputRecord instanceof SSLSocketInputRecord)) {
return;
}
@ -927,25 +1042,32 @@ public final class SSLSocketImpl
"input stream close depletion failed", ioe);
}
}
} finally {
readLock.unlock();
}
}
}
@Override
public synchronized OutputStream getOutputStream() throws IOException {
if (isClosed()) {
throw new SocketException("Socket is closed");
}
public OutputStream getOutputStream() throws IOException {
socketLock.lock();
try {
if (isClosed()) {
throw new SocketException("Socket is closed");
}
if (!isConnected) {
throw new SocketException("Socket is not connected");
}
if (!isConnected) {
throw new SocketException("Socket is not connected");
}
if (conContext.isOutboundDone() || isOutputShutdown()) {
throw new SocketException("Socket output is already shutdown");
}
if (conContext.isOutboundDone() || isOutputShutdown()) {
throw new SocketException("Socket output is already shutdown");
}
return appOutput;
return appOutput;
} finally {
socketLock.unlock();
}
}
@ -1035,44 +1157,74 @@ public final class SSLSocketImpl
}
@Override
public synchronized SSLParameters getSSLParameters() {
return conContext.sslConfig.getSSLParameters();
}
@Override
public synchronized void setSSLParameters(SSLParameters params) {
conContext.sslConfig.setSSLParameters(params);
if (conContext.sslConfig.maximumPacketSize != 0) {
conContext.outputRecord.changePacketSize(
conContext.sslConfig.maximumPacketSize);
public SSLParameters getSSLParameters() {
socketLock.lock();
try {
return conContext.sslConfig.getSSLParameters();
} finally {
socketLock.unlock();
}
}
@Override
public synchronized String getApplicationProtocol() {
return conContext.applicationProtocol;
public void setSSLParameters(SSLParameters params) {
socketLock.lock();
try {
conContext.sslConfig.setSSLParameters(params);
if (conContext.sslConfig.maximumPacketSize != 0) {
conContext.outputRecord.changePacketSize(
conContext.sslConfig.maximumPacketSize);
}
} finally {
socketLock.unlock();
}
}
@Override
public synchronized String getHandshakeApplicationProtocol() {
if (conContext.handshakeContext != null) {
return conContext.handshakeContext.applicationProtocol;
public String getApplicationProtocol() {
socketLock.lock();
try {
return conContext.applicationProtocol;
} finally {
socketLock.unlock();
}
}
@Override
public String getHandshakeApplicationProtocol() {
socketLock.lock();
try {
if (conContext.handshakeContext != null) {
return conContext.handshakeContext.applicationProtocol;
}
} finally {
socketLock.unlock();
}
return null;
}
@Override
public synchronized void setHandshakeApplicationProtocolSelector(
public void setHandshakeApplicationProtocolSelector(
BiFunction<SSLSocket, List<String>, String> selector) {
conContext.sslConfig.socketAPSelector = selector;
socketLock.lock();
try {
conContext.sslConfig.socketAPSelector = selector;
} finally {
socketLock.unlock();
}
}
@Override
public synchronized BiFunction<SSLSocket, List<String>, String>
public BiFunction<SSLSocket, List<String>, String>
getHandshakeApplicationProtocolSelector() {
return conContext.sslConfig.socketAPSelector;
socketLock.lock();
try {
return conContext.sslConfig.socketAPSelector;
} finally {
socketLock.unlock();
}
}
/**
@ -1142,8 +1294,11 @@ public final class SSLSocketImpl
try {
Plaintext plainText;
synchronized (this) {
socketLock.lock();
try {
plainText = decode(buffer);
} finally {
socketLock.unlock();
}
if (plainText.contentType == ContentType.APPLICATION_DATA.id &&
buffer.position() > 0) {
@ -1222,27 +1377,33 @@ public final class SSLSocketImpl
*
* Called by connect, the layered constructor, and SSLServerSocket.
*/
synchronized void doneConnect() throws IOException {
// In server mode, it is not necessary to set host and serverNames.
// Otherwise, would require a reverse DNS lookup to get the hostname.
if (peerHost == null || peerHost.isEmpty()) {
boolean useNameService =
trustNameService && conContext.sslConfig.isClientMode;
useImplicitHost(useNameService);
} else {
conContext.sslConfig.serverNames =
Utilities.addToSNIServerNameList(
conContext.sslConfig.serverNames, peerHost);
void doneConnect() throws IOException {
socketLock.lock();
try {
// In server mode, it is not necessary to set host and serverNames.
// Otherwise, would require a reverse DNS lookup to get
// the hostname.
if (peerHost == null || peerHost.isEmpty()) {
boolean useNameService =
trustNameService && conContext.sslConfig.isClientMode;
useImplicitHost(useNameService);
} else {
conContext.sslConfig.serverNames =
Utilities.addToSNIServerNameList(
conContext.sslConfig.serverNames, peerHost);
}
InputStream sockInput = super.getInputStream();
conContext.inputRecord.setReceiverStream(sockInput);
OutputStream sockOutput = super.getOutputStream();
conContext.inputRecord.setDeliverStream(sockOutput);
conContext.outputRecord.setDeliverStream(sockOutput);
this.isConnected = true;
} finally {
socketLock.unlock();
}
InputStream sockInput = super.getInputStream();
conContext.inputRecord.setReceiverStream(sockInput);
OutputStream sockOutput = super.getOutputStream();
conContext.inputRecord.setDeliverStream(sockOutput);
conContext.outputRecord.setDeliverStream(sockOutput);
this.isConnected = true;
}
private void useImplicitHost(boolean useNameService) {
@ -1288,11 +1449,16 @@ public final class SSLSocketImpl
// Please NOTE that this method MUST be called before calling to
// SSLSocket.setSSLParameters(). Otherwise, the {@code host} parameter
// may override SNIHostName in the customized server name indication.
public synchronized void setHost(String host) {
this.peerHost = host;
this.conContext.sslConfig.serverNames =
Utilities.addToSNIServerNameList(
conContext.sslConfig.serverNames, host);
public void setHost(String host) {
socketLock.lock();
try {
this.peerHost = host;
this.conContext.sslConfig.serverNames =
Utilities.addToSNIServerNameList(
conContext.sslConfig.serverNames, host);
} finally {
socketLock.unlock();
}
}
/**

473
src/java.base/share/classes/sun/security/ssl/SSLSocketOutputRecord.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -51,123 +51,206 @@ final class SSLSocketOutputRecord extends OutputRecord implements SSLRecord {
}
@Override
synchronized void encodeAlert(
byte level, byte description) throws IOException {
if (isClosed()) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.warning("outbound has closed, ignore outbound " +
"alert message: " + Alert.nameOf(description));
void encodeAlert(byte level, byte description) throws IOException {
recordLock.lock();
try {
if (isClosed()) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.warning("outbound has closed, ignore outbound " +
"alert message: " + Alert.nameOf(description));
}
return;
}
return;
// use the buf of ByteArrayOutputStream
int position = headerSize + writeCipher.getExplicitNonceSize();
count = position;
write(level);
write(description);
if (SSLLogger.isOn && SSLLogger.isOn("record")) {
SSLLogger.fine("WRITE: " + protocolVersion +
" " + ContentType.ALERT.name +
"(" + Alert.nameOf(description) + ")" +
", length = " + (count - headerSize));
}
// Encrypt the fragment and wrap up a record.
encrypt(writeCipher, ContentType.ALERT.id, headerSize);
// deliver this message
deliverStream.write(buf, 0, count); // may throw IOException
deliverStream.flush(); // may throw IOException
if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
SSLLogger.fine("Raw write",
(new ByteArrayInputStream(buf, 0, count)));
}
// reset the internal buffer
count = 0;
} finally {
recordLock.unlock();
}
// use the buf of ByteArrayOutputStream
int position = headerSize + writeCipher.getExplicitNonceSize();
count = position;
write(level);
write(description);
if (SSLLogger.isOn && SSLLogger.isOn("record")) {
SSLLogger.fine("WRITE: " + protocolVersion +
" " + ContentType.ALERT.name +
"(" + Alert.nameOf(description) + ")" +
", length = " + (count - headerSize));
}
// Encrypt the fragment and wrap up a record.
encrypt(writeCipher, ContentType.ALERT.id, headerSize);
// deliver this message
deliverStream.write(buf, 0, count); // may throw IOException
deliverStream.flush(); // may throw IOException
if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
SSLLogger.fine("Raw write",
(new ByteArrayInputStream(buf, 0, count)));
}
// reset the internal buffer
count = 0;
}
@Override
synchronized void encodeHandshake(byte[] source,
void encodeHandshake(byte[] source,
int offset, int length) throws IOException {
if (isClosed()) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.warning("outbound has closed, ignore outbound " +
"handshake message",
ByteBuffer.wrap(source, offset, length));
recordLock.lock();
try {
if (isClosed()) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.warning("outbound has closed, ignore outbound " +
"handshake message",
ByteBuffer.wrap(source, offset, length));
}
return;
}
return;
}
if (firstMessage) {
firstMessage = false;
if (firstMessage) {
firstMessage = false;
if ((helloVersion == ProtocolVersion.SSL20Hello) &&
(source[offset] == SSLHandshake.CLIENT_HELLO.id) &&
if ((helloVersion == ProtocolVersion.SSL20Hello) &&
(source[offset] == SSLHandshake.CLIENT_HELLO.id) &&
// 5: recode header size
(source[offset + 4 + 2 + 32] == 0)) {
(source[offset + 4 + 2 + 32] == 0)) {
// V3 session ID is empty
// 4: handshake header size
// 2: client_version in ClientHello
// 32: random in ClientHello
ByteBuffer v2ClientHello = encodeV2ClientHello(
source, (offset + 4), (length - 4));
ByteBuffer v2ClientHello = encodeV2ClientHello(
source, (offset + 4), (length - 4));
byte[] record = v2ClientHello.array(); // array offset is zero
int limit = v2ClientHello.limit();
handshakeHash.deliver(record, 2, (limit - 2));
// array offset is zero
byte[] record = v2ClientHello.array();
int limit = v2ClientHello.limit();
handshakeHash.deliver(record, 2, (limit - 2));
if (SSLLogger.isOn && SSLLogger.isOn("record")) {
SSLLogger.fine(
"WRITE: SSLv2 ClientHello message" +
", length = " + limit);
}
// deliver this message
//
// Version 2 ClientHello message should be plaintext.
//
// No max fragment length negotiation.
deliverStream.write(record, 0, limit);
deliverStream.flush();
if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
SSLLogger.fine("Raw write",
(new ByteArrayInputStream(record, 0, limit)));
}
return;
}
}
byte handshakeType = source[0];
if (handshakeHash.isHashable(handshakeType)) {
handshakeHash.deliver(source, offset, length);
}
int fragLimit = getFragLimit();
int position = headerSize + writeCipher.getExplicitNonceSize();
if (count == 0) {
count = position;
}
if ((count - position) < (fragLimit - length)) {
write(source, offset, length);
return;
}
for (int limit = (offset + length); offset < limit;) {
int remains = (limit - offset) + (count - position);
int fragLen = Math.min(fragLimit, remains);
// use the buf of ByteArrayOutputStream
write(source, offset, fragLen);
if (remains < fragLimit) {
return;
}
if (SSLLogger.isOn && SSLLogger.isOn("record")) {
SSLLogger.fine(
"WRITE: SSLv2 ClientHello message" +
", length = " + limit);
"WRITE: " + protocolVersion +
" " + ContentType.HANDSHAKE.name +
", length = " + (count - headerSize));
}
// Encrypt the fragment and wrap up a record.
encrypt(writeCipher, ContentType.HANDSHAKE.id, headerSize);
// deliver this message
//
// Version 2 ClientHello message should be plaintext.
//
// No max fragment length negotiation.
deliverStream.write(record, 0, limit);
deliverStream.flush();
deliverStream.write(buf, 0, count); // may throw IOException
deliverStream.flush(); // may throw IOException
if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
SSLLogger.fine("Raw write",
(new ByteArrayInputStream(record, 0, limit)));
(new ByteArrayInputStream(buf, 0, count)));
}
// reset the offset
offset += fragLen;
// reset the internal buffer
count = position;
}
} finally {
recordLock.unlock();
}
}
@Override
void encodeChangeCipherSpec() throws IOException {
recordLock.lock();
try {
if (isClosed()) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.warning("outbound has closed, ignore outbound " +
"change_cipher_spec message");
}
return;
}
}
byte handshakeType = source[0];
if (handshakeHash.isHashable(handshakeType)) {
handshakeHash.deliver(source, offset, length);
}
int fragLimit = getFragLimit();
int position = headerSize + writeCipher.getExplicitNonceSize();
if (count == 0) {
count = position;
}
if ((count - position) < (fragLimit - length)) {
write(source, offset, length);
return;
}
for (int limit = (offset + length); offset < limit;) {
int remains = (limit - offset) + (count - position);
int fragLen = Math.min(fragLimit, remains);
// use the buf of ByteArrayOutputStream
write(source, offset, fragLen);
if (remains < fragLimit) {
int position = headerSize + writeCipher.getExplicitNonceSize();
count = position;
write((byte)1); // byte 1: change_cipher_spec(
// Encrypt the fragment and wrap up a record.
encrypt(writeCipher, ContentType.CHANGE_CIPHER_SPEC.id, headerSize);
// deliver this message
deliverStream.write(buf, 0, count); // may throw IOException
// deliverStream.flush(); // flush in Finished
if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
SSLLogger.fine("Raw write",
(new ByteArrayInputStream(buf, 0, count)));
}
// reset the internal buffer
count = 0;
} finally {
recordLock.unlock();
}
}
@Override
public void flush() throws IOException {
recordLock.lock();
try {
int position = headerSize + writeCipher.getExplicitNonceSize();
if (count <= position) {
return;
}
@ -190,155 +273,103 @@ final class SSLSocketOutputRecord extends OutputRecord implements SSLRecord {
(new ByteArrayInputStream(buf, 0, count)));
}
// reset the offset
offset += fragLen;
// reset the internal buffer
count = position;
count = 0; // DON'T use position
} finally {
recordLock.unlock();
}
}
@Override
synchronized void encodeChangeCipherSpec() throws IOException {
if (isClosed()) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.warning("outbound has closed, ignore outbound " +
"change_cipher_spec message");
}
return;
}
// use the buf of ByteArrayOutputStream
int position = headerSize + writeCipher.getExplicitNonceSize();
count = position;
write((byte)1); // byte 1: change_cipher_spec(
// Encrypt the fragment and wrap up a record.
encrypt(writeCipher, ContentType.CHANGE_CIPHER_SPEC.id, headerSize);
// deliver this message
deliverStream.write(buf, 0, count); // may throw IOException
// deliverStream.flush(); // flush in Finished
if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
SSLLogger.fine("Raw write",
(new ByteArrayInputStream(buf, 0, count)));
}
// reset the internal buffer
count = 0;
}
@Override
public synchronized void flush() throws IOException {
int position = headerSize + writeCipher.getExplicitNonceSize();
if (count <= position) {
return;
}
if (SSLLogger.isOn && SSLLogger.isOn("record")) {
SSLLogger.fine(
"WRITE: " + protocolVersion +
" " + ContentType.HANDSHAKE.name +
", length = " + (count - headerSize));
}
// Encrypt the fragment and wrap up a record.
encrypt(writeCipher, ContentType.HANDSHAKE.id, headerSize);
// deliver this message
deliverStream.write(buf, 0, count); // may throw IOException
deliverStream.flush(); // may throw IOException
if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
SSLLogger.fine("Raw write",
(new ByteArrayInputStream(buf, 0, count)));
}
// reset the internal buffer
count = 0; // DON'T use position
}
@Override
synchronized void deliver(
byte[] source, int offset, int length) throws IOException {
if (isClosed()) {
throw new SocketException("Connection or outbound has been closed");
}
if (writeCipher.authenticator.seqNumOverflow()) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.fine(
"sequence number extremely close to overflow " +
"(2^64-1 packets). Closing connection.");
void deliver(byte[] source, int offset, int length) throws IOException {
recordLock.lock();
try {
if (isClosed()) {
throw new SocketException(
"Connection or outbound has been closed");
}
throw new SSLHandshakeException("sequence number overflow");
}
if (writeCipher.authenticator.seqNumOverflow()) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.fine(
"sequence number extremely close to overflow " +
"(2^64-1 packets). Closing connection.");
}
boolean isFirstRecordOfThePayload = true;
for (int limit = (offset + length); offset < limit;) {
int fragLen;
if (packetSize > 0) {
fragLen = Math.min(maxRecordSize, packetSize);
fragLen =
writeCipher.calculateFragmentSize(fragLen, headerSize);
fragLen = Math.min(fragLen, Record.maxDataSize);
} else {
fragLen = Record.maxDataSize;
throw new SSLHandshakeException("sequence number overflow");
}
if (fragmentSize > 0) {
fragLen = Math.min(fragLen, fragmentSize);
boolean isFirstRecordOfThePayload = true;
for (int limit = (offset + length); offset < limit;) {
int fragLen;
if (packetSize > 0) {
fragLen = Math.min(maxRecordSize, packetSize);
fragLen = writeCipher.calculateFragmentSize(
fragLen, headerSize);
fragLen = Math.min(fragLen, Record.maxDataSize);
} else {
fragLen = Record.maxDataSize;
}
if (fragmentSize > 0) {
fragLen = Math.min(fragLen, fragmentSize);
}
if (isFirstRecordOfThePayload && needToSplitPayload()) {
fragLen = 1;
isFirstRecordOfThePayload = false;
} else {
fragLen = Math.min(fragLen, (limit - offset));
}
// use the buf of ByteArrayOutputStream
int position = headerSize + writeCipher.getExplicitNonceSize();
count = position;
write(source, offset, fragLen);
if (SSLLogger.isOn && SSLLogger.isOn("record")) {
SSLLogger.fine(
"WRITE: " + protocolVersion +
" " + ContentType.APPLICATION_DATA.name +
", length = " + (count - position));
}
// Encrypt the fragment and wrap up a record.
encrypt(writeCipher,
ContentType.APPLICATION_DATA.id, headerSize);
// deliver this message
deliverStream.write(buf, 0, count); // may throw IOException
deliverStream.flush(); // may throw IOException
if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
SSLLogger.fine("Raw write",
(new ByteArrayInputStream(buf, 0, count)));
}
// reset the internal buffer
count = 0;
if (isFirstAppOutputRecord) {
isFirstAppOutputRecord = false;
}
offset += fragLen;
}
if (isFirstRecordOfThePayload && needToSplitPayload()) {
fragLen = 1;
isFirstRecordOfThePayload = false;
} else {
fragLen = Math.min(fragLen, (limit - offset));
}
// use the buf of ByteArrayOutputStream
int position = headerSize + writeCipher.getExplicitNonceSize();
count = position;
write(source, offset, fragLen);
if (SSLLogger.isOn && SSLLogger.isOn("record")) {
SSLLogger.fine(
"WRITE: " + protocolVersion +
" " + ContentType.APPLICATION_DATA.name +
", length = " + (count - position));
}
// Encrypt the fragment and wrap up a record.
encrypt(writeCipher, ContentType.APPLICATION_DATA.id, headerSize);
// deliver this message
deliverStream.write(buf, 0, count); // may throw IOException
deliverStream.flush(); // may throw IOException
if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
SSLLogger.fine("Raw write",
(new ByteArrayInputStream(buf, 0, count)));
}
// reset the internal buffer
count = 0;
if (isFirstAppOutputRecord) {
isFirstAppOutputRecord = false;
}
offset += fragLen;
} finally {
recordLock.unlock();
}
}
@Override
synchronized void setDeliverStream(OutputStream outputStream) {
this.deliverStream = outputStream;
void setDeliverStream(OutputStream outputStream) {
recordLock.lock();
try {
this.deliverStream = outputStream;
} finally {
recordLock.unlock();
}
}
/*

22
src/java.base/share/classes/sun/security/ssl/SunX509KeyManagerImpl.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -102,25 +102,21 @@ final class SunX509KeyManagerImpl extends X509ExtendedKeyManager {
* Basic container for credentials implemented as an inner class.
*/
private static class X509Credentials {
PrivateKey privateKey;
X509Certificate[] certificates;
private Set<X500Principal> issuerX500Principals;
final PrivateKey privateKey;
final X509Certificate[] certificates;
private final Set<X500Principal> issuerX500Principals;
X509Credentials(PrivateKey privateKey, X509Certificate[] certificates) {
// assert privateKey and certificates != null
this.privateKey = privateKey;
this.certificates = certificates;
this.issuerX500Principals = new HashSet<>(certificates.length);
for (X509Certificate certificate : certificates) {
issuerX500Principals.add(certificate.getIssuerX500Principal());
}
}
synchronized Set<X500Principal> getIssuerX500Principals() {
// lazy initialization
if (issuerX500Principals == null) {
issuerX500Principals = new HashSet<X500Principal>();
for (int i = 0; i < certificates.length; i++) {
issuerX500Principals.add(
certificates[i].getIssuerX500Principal());
}
}
Set<X500Principal> getIssuerX500Principals() {
return issuerX500Principals;
}
}

12
src/java.base/share/classes/sun/security/ssl/TransportContext.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -496,13 +496,16 @@ class TransportContext implements ConnectionContext {
}
if (needCloseNotify) {
synchronized (outputRecord) {
outputRecord.recordLock.lock();
try {
try {
// send a close_notify alert
warning(Alert.CLOSE_NOTIFY);
} finally {
outputRecord.close();
}
} finally {
outputRecord.recordLock.unlock();
}
}
}
@ -541,7 +544,8 @@ class TransportContext implements ConnectionContext {
// Need a lock here so that the user_canceled alert and the
// close_notify alert can be delivered together.
synchronized (outputRecord) {
outputRecord.recordLock.lock();
try {
try {
// send a user_canceled alert if needed.
if (useUserCanceled) {
@ -553,6 +557,8 @@ class TransportContext implements ConnectionContext {
} finally {
outputRecord.close();
}
} finally {
outputRecord.recordLock.unlock();
}
}

105
src/java.base/share/classes/sun/security/ssl/TrustStoreManager.java
View File

@ -30,6 +30,7 @@ import java.lang.ref.WeakReference;
import java.security.*;
import java.security.cert.*;
import java.util.*;
import java.util.concurrent.locks.ReentrantLock;
import sun.security.action.*;
import sun.security.validator.TrustStoreUtil;
@ -244,6 +245,8 @@ final class TrustStoreManager {
// objects can be atomically cleared, and reloaded if needed.
private WeakReference<Set<X509Certificate>> csRef;
private final ReentrantLock tamLock = new ReentrantLock();
private TrustAnchorManager() {
this.descriptor = null;
this.ksRef = new WeakReference<>(null);
@ -255,7 +258,7 @@ final class TrustStoreManager {
*
* @return null if the underlying KeyStore is not available.
*/
synchronized KeyStore getKeyStore(
KeyStore getKeyStore(
TrustStoreDescriptor descriptor) throws Exception {
TrustStoreDescriptor temporaryDesc = this.descriptor;
@ -264,14 +267,25 @@ final class TrustStoreManager {
return ks;
}
// Reload a new key store.
if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
SSLLogger.fine("Reload the trust store");
}
tamLock.lock();
try {
// double check
ks = ksRef.get();
if ((ks != null) && descriptor.equals(temporaryDesc)) {
return ks;
}
ks = loadKeyStore(descriptor);
this.descriptor = descriptor;
this.ksRef = new WeakReference<>(ks);
// Reload a new key store.
if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
SSLLogger.fine("Reload the trust store");
}
ks = loadKeyStore(descriptor);
this.descriptor = descriptor;
this.ksRef = new WeakReference<>(ks);
} finally {
tamLock.unlock();
}
return ks;
}
@ -282,51 +296,62 @@ final class TrustStoreManager {
*
* @return empty collection if the underlying KeyStore is not available.
*/
synchronized Set<X509Certificate> getTrustedCerts(
Set<X509Certificate> getTrustedCerts(
TrustStoreDescriptor descriptor) throws Exception {
KeyStore ks = null;
TrustStoreDescriptor temporaryDesc = this.descriptor;
Set<X509Certificate> certs = csRef.get();
if (certs != null) {
if (descriptor.equals(temporaryDesc)) {
return certs;
} else {
// Use the new descriptor.
this.descriptor = descriptor;
}
} else {
// Try to use the cached store at first.
if (descriptor.equals(temporaryDesc)) {
ks = ksRef.get();
} else {
// Use the new descriptor.
this.descriptor = descriptor;
}
if ((certs != null) && descriptor.equals(temporaryDesc)) {
return certs;
}
// Reload the trust store if needed.
if (ks == null) {
tamLock.lock();
try {
// double check
temporaryDesc = this.descriptor;
certs = csRef.get();
if (certs != null) {
if (descriptor.equals(temporaryDesc)) {
return certs;
} else {
// Use the new descriptor.
this.descriptor = descriptor;
}
} else {
// Try to use the cached store at first.
if (descriptor.equals(temporaryDesc)) {
ks = ksRef.get();
} else {
// Use the new descriptor.
this.descriptor = descriptor;
}
}
// Reload the trust store if needed.
if (ks == null) {
if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
SSLLogger.fine("Reload the trust store");
}
ks = loadKeyStore(descriptor);
this.ksRef = new WeakReference<>(ks);
}
// Reload trust certs from the key store.
if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
SSLLogger.fine("Reload the trust store");
SSLLogger.fine("Reload trust certs");
}
ks = loadKeyStore(descriptor);
}
// Reload trust certs from the key store.
if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
SSLLogger.fine("Reload trust certs");
}
certs = loadTrustedCerts(ks);
if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
SSLLogger.fine("Reloaded " + certs.size() + " trust certs");
}
certs = loadTrustedCerts(ks);
if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
SSLLogger.fine("Reloaded " + certs.size() + " trust certs");
this.csRef = new WeakReference<>(certs);
} finally {
tamLock.unlock();
}
// Note that as ks is a local variable, it is not
// necessary to add it to the ksRef weak reference.
this.csRef = new WeakReference<>(certs);
return certs;
}

13
src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java
View File

@ -29,6 +29,7 @@ import java.net.Socket;
import java.security.*;
import java.security.cert.*;
import java.util.*;
import java.util.concurrent.locks.ReentrantLock;
import javax.net.ssl.*;
import sun.security.util.AnchorCertificates;
import sun.security.util.HostnameChecker;
@ -63,6 +64,8 @@ final class X509TrustManagerImpl extends X509ExtendedTrustManager
// the different extension checks. They are initialized lazily on demand.
private volatile Validator clientValidator, serverValidator;
private final ReentrantLock validatorLock = new ReentrantLock();
X509TrustManagerImpl(String validatorType,
Collection<X509Certificate> trustedCerts) {
@ -157,12 +160,15 @@ final class X509TrustManagerImpl extends X509ExtendedTrustManager
if (isClient) {
v = clientValidator;
if (v == null) {
synchronized (this) {
validatorLock.lock();
try {
v = clientValidator;
if (v == null) {
v = getValidator(Validator.VAR_TLS_CLIENT);
clientValidator = v;
}
} finally {
validatorLock.unlock();
}
}
} else {
@ -170,12 +176,15 @@ final class X509TrustManagerImpl extends X509ExtendedTrustManager
// (guaranteed under the new Tiger memory model)
v = serverValidator;
if (v == null) {
synchronized (this) {
validatorLock.lock();
try {
v = serverValidator;
if (v == null) {
v = getValidator(Validator.VAR_TLS_SERVER);
serverValidator = v;
}
} finally {
validatorLock.unlock();
}
}
}