View Javadoc
1   /*
2    * Copyright 2016 The Netty Project
3    *
4    * The Netty Project licenses this file to you under the Apache License,
5    * version 2.0 (the "License"); you may not use this file except in compliance
6    * with the License. You may obtain a copy of the License at:
7    *
8    *   http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12   * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13   * License for the specific language governing permissions and limitations
14   * under the License.
15   */
16  package io.netty.handler.ssl;
17  
18  import io.netty.buffer.ByteBuf;
19  import io.netty.buffer.ByteBufAllocator;
20  import io.netty.internal.tcnative.Buffer;
21  import io.netty.internal.tcnative.SSL;
22  import io.netty.util.AbstractReferenceCounted;
23  import io.netty.util.ReferenceCounted;
24  import io.netty.util.ResourceLeakDetector;
25  import io.netty.util.ResourceLeakDetectorFactory;
26  import io.netty.util.ResourceLeakTracker;
27  import io.netty.util.internal.EmptyArrays;
28  import io.netty.util.internal.PlatformDependent;
29  import io.netty.util.internal.StringUtil;
30  import io.netty.util.internal.ThrowableUtil;
31  import io.netty.util.internal.UnstableApi;
32  import io.netty.util.internal.logging.InternalLogger;
33  import io.netty.util.internal.logging.InternalLoggerFactory;
34  
35  import java.nio.ByteBuffer;
36  import java.nio.ReadOnlyBufferException;
37  import java.security.Principal;
38  import java.security.cert.Certificate;
39  import java.util.ArrayList;
40  import java.util.Arrays;
41  import java.util.Collection;
42  import java.util.HashMap;
43  import java.util.List;
44  import java.util.Map;
45  import java.util.concurrent.atomic.AtomicIntegerFieldUpdater;
46  import java.util.concurrent.locks.Lock;
47  
48  import javax.net.ssl.SSLEngine;
49  import javax.net.ssl.SSLEngineResult;
50  import javax.net.ssl.SSLException;
51  import javax.net.ssl.SSLHandshakeException;
52  import javax.net.ssl.SSLParameters;
53  import javax.net.ssl.SSLPeerUnverifiedException;
54  import javax.net.ssl.SSLSession;
55  import javax.net.ssl.SSLSessionBindingEvent;
56  import javax.net.ssl.SSLSessionBindingListener;
57  import javax.net.ssl.SSLSessionContext;
58  import javax.security.cert.X509Certificate;
59  
60  import static io.netty.handler.ssl.OpenSsl.memoryAddress;
61  import static io.netty.handler.ssl.SslUtils.PROTOCOL_SSL_V2;
62  import static io.netty.handler.ssl.SslUtils.PROTOCOL_SSL_V2_HELLO;
63  import static io.netty.handler.ssl.SslUtils.PROTOCOL_SSL_V3;
64  import static io.netty.handler.ssl.SslUtils.PROTOCOL_TLS_V1;
65  import static io.netty.handler.ssl.SslUtils.PROTOCOL_TLS_V1_1;
66  import static io.netty.handler.ssl.SslUtils.PROTOCOL_TLS_V1_2;
67  import static io.netty.handler.ssl.SslUtils.SSL_RECORD_HEADER_LENGTH;
68  import static io.netty.internal.tcnative.SSL.SSL_MAX_PLAINTEXT_LENGTH;
69  import static io.netty.internal.tcnative.SSL.SSL_MAX_RECORD_LENGTH;
70  import static io.netty.util.internal.EmptyArrays.EMPTY_CERTIFICATES;
71  import static io.netty.util.internal.EmptyArrays.EMPTY_JAVAX_X509_CERTIFICATES;
72  import static io.netty.util.internal.ObjectUtil.checkNotNull;
73  import static java.lang.Integer.MAX_VALUE;
74  import static java.lang.Math.min;
75  import static javax.net.ssl.SSLEngineResult.HandshakeStatus.FINISHED;
76  import static javax.net.ssl.SSLEngineResult.HandshakeStatus.NEED_UNWRAP;
77  import static javax.net.ssl.SSLEngineResult.HandshakeStatus.NEED_WRAP;
78  import static javax.net.ssl.SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING;
79  import static javax.net.ssl.SSLEngineResult.Status.BUFFER_OVERFLOW;
80  import static javax.net.ssl.SSLEngineResult.Status.BUFFER_UNDERFLOW;
81  import static javax.net.ssl.SSLEngineResult.Status.CLOSED;
82  import static javax.net.ssl.SSLEngineResult.Status.OK;
83  
84  /**
85   * Implements a {@link SSLEngine} using
86   * <a href="https://www.openssl.org/docs/crypto/BIO_s_bio.html#EXAMPLE">OpenSSL BIO abstractions</a>.
87   * <p>Instances of this class must be {@link #release() released} or else native memory will leak!
88   *
89   * <p>Instances of this class <strong>must</strong> be released before the {@link ReferenceCountedOpenSslContext}
90   * the instance depends upon are released. Otherwise if any method of this class is called which uses the
91   * the {@link ReferenceCountedOpenSslContext} JNI resources the JVM may crash.
92   */
93  public class ReferenceCountedOpenSslEngine extends SSLEngine implements ReferenceCounted, ApplicationProtocolAccessor {
94  
95      private static final InternalLogger logger = InternalLoggerFactory.getInstance(ReferenceCountedOpenSslEngine.class);
96  
97      private static final SSLException BEGIN_HANDSHAKE_ENGINE_CLOSED = ThrowableUtil.unknownStackTrace(
98              new SSLException("engine closed"), ReferenceCountedOpenSslEngine.class, "beginHandshake()");
99      private static final SSLException HANDSHAKE_ENGINE_CLOSED = ThrowableUtil.unknownStackTrace(
100             new SSLException("engine closed"), ReferenceCountedOpenSslEngine.class, "handshake()");
101     private static final SSLException RENEGOTIATION_UNSUPPORTED =  ThrowableUtil.unknownStackTrace(
102             new SSLException("renegotiation unsupported"), ReferenceCountedOpenSslEngine.class, "beginHandshake()");
103     private static final ResourceLeakDetector<ReferenceCountedOpenSslEngine> leakDetector =
104             ResourceLeakDetectorFactory.instance().newResourceLeakDetector(ReferenceCountedOpenSslEngine.class);
105     private static final int OPENSSL_OP_NO_PROTOCOL_INDEX_SSLV2 = 0;
106     private static final int OPENSSL_OP_NO_PROTOCOL_INDEX_SSLV3 = 1;
107     private static final int OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1 = 2;
108     private static final int OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_1 = 3;
109     private static final int OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_2 = 4;
110     private static final int[] OPENSSL_OP_NO_PROTOCOLS = {
111             SSL.SSL_OP_NO_SSLv2,
112             SSL.SSL_OP_NO_SSLv3,
113             SSL.SSL_OP_NO_TLSv1,
114             SSL.SSL_OP_NO_TLSv1_1,
115             SSL.SSL_OP_NO_TLSv1_2
116     };
117     /**
118      * <a href="https://www.openssl.org/docs/man1.0.2/crypto/X509_check_host.html">The flags argument is usually 0</a>.
119      */
120     private static final int DEFAULT_HOSTNAME_VALIDATION_FLAGS = 0;
121 
122     /**
123      * Depends upon tcnative ... only use if tcnative is available!
124      */
125     static final int MAX_PLAINTEXT_LENGTH = SSL_MAX_PLAINTEXT_LENGTH;
126     /**
127      * Depends upon tcnative ... only use if tcnative is available!
128      */
129     private static final int MAX_RECORD_SIZE = SSL_MAX_RECORD_LENGTH;
130 
131     private static final AtomicIntegerFieldUpdater<ReferenceCountedOpenSslEngine> DESTROYED_UPDATER =
132             AtomicIntegerFieldUpdater.newUpdater(ReferenceCountedOpenSslEngine.class, "destroyed");
133 
134     private static final String INVALID_CIPHER = "SSL_NULL_WITH_NULL_NULL";
135     private static final SSLEngineResult NEED_UNWRAP_OK = new SSLEngineResult(OK, NEED_UNWRAP, 0, 0);
136     private static final SSLEngineResult NEED_UNWRAP_CLOSED = new SSLEngineResult(CLOSED, NEED_UNWRAP, 0, 0);
137     private static final SSLEngineResult NEED_WRAP_OK = new SSLEngineResult(OK, NEED_WRAP, 0, 0);
138     private static final SSLEngineResult NEED_WRAP_CLOSED = new SSLEngineResult(CLOSED, NEED_WRAP, 0, 0);
139     private static final SSLEngineResult CLOSED_NOT_HANDSHAKING = new SSLEngineResult(CLOSED, NOT_HANDSHAKING, 0, 0);
140 
141     // OpenSSL state
142     private long ssl;
143     private long networkBIO;
144     private boolean certificateSet;
145 
146     private enum HandshakeState {
147         /**
148          * Not started yet.
149          */
150         NOT_STARTED,
151         /**
152          * Started via unwrap/wrap.
153          */
154         STARTED_IMPLICITLY,
155         /**
156          * Started via {@link #beginHandshake()}.
157          */
158         STARTED_EXPLICITLY,
159         /**
160          * Handshake is finished.
161          */
162         FINISHED
163     }
164 
165     private HandshakeState handshakeState = HandshakeState.NOT_STARTED;
166     private boolean receivedShutdown;
167     private volatile int destroyed;
168     private volatile String applicationProtocol;
169 
170     // Reference Counting
171     private final ResourceLeakTracker<ReferenceCountedOpenSslEngine> leak;
172     private final AbstractReferenceCounted refCnt = new AbstractReferenceCounted() {
173         @Override
174         public ReferenceCounted touch(Object hint) {
175             if (leak != null) {
176                 leak.record(hint);
177             }
178 
179             return ReferenceCountedOpenSslEngine.this;
180         }
181 
182         @Override
183         protected void deallocate() {
184             shutdown();
185             if (leak != null) {
186                 boolean closed = leak.close(ReferenceCountedOpenSslEngine.this);
187                 assert closed;
188             }
189         }
190     };
191 
192     private volatile ClientAuth clientAuth = ClientAuth.NONE;
193 
194     // Updated once a new handshake is started and so the SSLSession reused.
195     private volatile long lastAccessed = -1;
196 
197     private String endPointIdentificationAlgorithm;
198     // Store as object as AlgorithmConstraints only exists since java 7.
199     private Object algorithmConstraints;
200     private List<String> sniHostNames;
201 
202     // Mark as volatile as accessed by checkSniHostnameMatch(...) and also not specify the SNIMatcher type to allow us
203     // using it with java7.
204     private volatile Collection<?> matchers;
205 
206     // SSL Engine status variables
207     private boolean isInboundDone;
208     private boolean outboundClosed;
209 
210     final boolean jdkCompatibilityMode;
211     private final boolean clientMode;
212     private final ByteBufAllocator alloc;
213     private final OpenSslEngineMap engineMap;
214     private final OpenSslApplicationProtocolNegotiator apn;
215     private final OpenSslSession session;
216     private final Certificate[] localCerts;
217     private final ByteBuffer[] singleSrcBuffer = new ByteBuffer[1];
218     private final ByteBuffer[] singleDstBuffer = new ByteBuffer[1];
219     private final OpenSslKeyMaterialManager keyMaterialManager;
220     private final boolean enableOcsp;
221     private int maxWrapOverhead;
222     private int maxWrapBufferSize;
223 
224     // This is package-private as we set it from OpenSslContext if an exception is thrown during
225     // the verification step.
226     SSLHandshakeException handshakeException;
227 
228     /**
229      * Create a new instance.
230      * @param context Reference count release responsibility is not transferred! The callee still owns this object.
231      * @param alloc The allocator to use.
232      * @param peerHost The peer host name.
233      * @param peerPort The peer port.
234      * @param jdkCompatibilityMode {@code true} to behave like described in
235      *                             https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLEngine.html.
236      *                             {@code false} allows for partial and/or multiple packets to be process in a single
237      *                             wrap or unwrap call.
238      * @param leakDetection {@code true} to enable leak detection of this object.
239      */
240     ReferenceCountedOpenSslEngine(ReferenceCountedOpenSslContext context, ByteBufAllocator alloc, String peerHost,
241                                   int peerPort, boolean jdkCompatibilityMode, boolean leakDetection) {
242         super(peerHost, peerPort);
243         OpenSsl.ensureAvailability();
244         this.alloc = checkNotNull(alloc, "alloc");
245         apn = (OpenSslApplicationProtocolNegotiator) context.applicationProtocolNegotiator();
246         session = new OpenSslSession(context.sessionContext());
247         clientMode = context.isClient();
248         engineMap = context.engineMap;
249         localCerts = context.keyCertChain;
250         keyMaterialManager = context.keyMaterialManager();
251         enableOcsp = context.enableOcsp;
252         this.jdkCompatibilityMode = jdkCompatibilityMode;
253         Lock readerLock = context.ctxLock.readLock();
254         readerLock.lock();
255         final long finalSsl;
256         try {
257             finalSsl = SSL.newSSL(context.ctx, !context.isClient());
258         } finally {
259             readerLock.unlock();
260         }
261         synchronized (this) {
262             ssl = finalSsl;
263             try {
264                 networkBIO = SSL.bioNewByteBuffer(ssl, context.getBioNonApplicationBufferSize());
265 
266                 // Set the client auth mode, this needs to be done via setClientAuth(...) method so we actually call the
267                 // needed JNI methods.
268                 setClientAuth(clientMode ? ClientAuth.NONE : context.clientAuth);
269 
270                 if (context.protocols != null) {
271                     setEnabledProtocols(context.protocols);
272                 }
273 
274                 // Use SNI if peerHost was specified
275                 // See https://github.com/netty/netty/issues/4746
276                 if (clientMode && peerHost != null) {
277                     SSL.setTlsExtHostName(ssl, peerHost);
278                 }
279 
280                 if (enableOcsp) {
281                     SSL.enableOcsp(ssl);
282                 }
283 
284                 if (!jdkCompatibilityMode) {
285                     SSL.setMode(ssl, SSL.getMode(ssl) | SSL.SSL_MODE_ENABLE_PARTIAL_WRITE);
286                 }
287 
288                 // setMode may impact the overhead.
289                 calculateMaxWrapOverhead();
290             } catch (Throwable cause) {
291                 SSL.freeSSL(ssl);
292                 PlatformDependent.throwException(cause);
293             }
294         }
295 
296         // Only create the leak after everything else was executed and so ensure we don't produce a false-positive for
297         // the ResourceLeakDetector.
298         leak = leakDetection ? leakDetector.track(this) : null;
299     }
300 
301     /**
302      * Sets the OCSP response.
303      */
304     @UnstableApi
305     public void setOcspResponse(byte[] response) {
306         if (!enableOcsp) {
307             throw new IllegalStateException("OCSP stapling is not enabled");
308         }
309 
310         if (clientMode) {
311             throw new IllegalStateException("Not a server SSLEngine");
312         }
313 
314         synchronized (this) {
315             SSL.setOcspResponse(ssl, response);
316         }
317     }
318 
319     /**
320      * Returns the OCSP response or {@code null} if the server didn't provide a stapled OCSP response.
321      */
322     @UnstableApi
323     public byte[] getOcspResponse() {
324         if (!enableOcsp) {
325             throw new IllegalStateException("OCSP stapling is not enabled");
326         }
327 
328         if (!clientMode) {
329             throw new IllegalStateException("Not a client SSLEngine");
330         }
331 
332         synchronized (this) {
333             return SSL.getOcspResponse(ssl);
334         }
335     }
336 
337     @Override
338     public final int refCnt() {
339         return refCnt.refCnt();
340     }
341 
342     @Override
343     public final ReferenceCounted retain() {
344         refCnt.retain();
345         return this;
346     }
347 
348     @Override
349     public final ReferenceCounted retain(int increment) {
350         refCnt.retain(increment);
351         return this;
352     }
353 
354     @Override
355     public final ReferenceCounted touch() {
356         refCnt.touch();
357         return this;
358     }
359 
360     @Override
361     public final ReferenceCounted touch(Object hint) {
362         refCnt.touch(hint);
363         return this;
364     }
365 
366     @Override
367     public final boolean release() {
368         return refCnt.release();
369     }
370 
371     @Override
372     public final boolean release(int decrement) {
373         return refCnt.release(decrement);
374     }
375 
376     @Override
377     public final synchronized SSLSession getHandshakeSession() {
378         // Javadocs state return value should be:
379         // null if this instance is not currently handshaking, or if the current handshake has not
380         // progressed far enough to create a basic SSLSession. Otherwise, this method returns the
381         // SSLSession currently being negotiated.
382         switch(handshakeState) {
383             case NOT_STARTED:
384             case FINISHED:
385                 return null;
386             default:
387                 return session;
388         }
389     }
390 
391     /**
392      * Returns the pointer to the {@code SSL} object for this {@link ReferenceCountedOpenSslEngine}.
393      * Be aware that it is freed as soon as the {@link #release()} or {@link #shutdown()} methods are called.
394      * At this point {@code 0} will be returned.
395      */
396     public final synchronized long sslPointer() {
397         return ssl;
398     }
399 
400     /**
401      * Destroys this engine.
402      */
403     public final synchronized void shutdown() {
404         if (DESTROYED_UPDATER.compareAndSet(this, 0, 1)) {
405             engineMap.remove(ssl);
406             SSL.freeSSL(ssl);
407             ssl = networkBIO = 0;
408 
409             isInboundDone = outboundClosed = true;
410         }
411 
412         // On shutdown clear all errors
413         SSL.clearError();
414     }
415 
416     /**
417      * Write plaintext data to the OpenSSL internal BIO
418      *
419      * Calling this function with src.remaining == 0 is undefined.
420      */
421     private int writePlaintextData(final ByteBuffer src, int len) {
422         final int pos = src.position();
423         final int limit = src.limit();
424         final int sslWrote;
425 
426         if (src.isDirect()) {
427             sslWrote = SSL.writeToSSL(ssl, bufferAddress(src) + pos, len);
428             if (sslWrote > 0) {
429                 src.position(pos + sslWrote);
430             }
431         } else {
432             ByteBuf buf = alloc.directBuffer(len);
433             try {
434                 src.limit(pos + len);
435 
436                 buf.setBytes(0, src);
437                 src.limit(limit);
438 
439                 sslWrote = SSL.writeToSSL(ssl, memoryAddress(buf), len);
440                 if (sslWrote > 0) {
441                     src.position(pos + sslWrote);
442                 } else {
443                     src.position(pos);
444                 }
445             } finally {
446                 buf.release();
447             }
448         }
449         return sslWrote;
450     }
451 
452     /**
453      * Write encrypted data to the OpenSSL network BIO.
454      */
455     private ByteBuf writeEncryptedData(final ByteBuffer src, int len) {
456         final int pos = src.position();
457         if (src.isDirect()) {
458             SSL.bioSetByteBuffer(networkBIO, bufferAddress(src) + pos, len, false);
459         } else {
460             final ByteBuf buf = alloc.directBuffer(len);
461             try {
462                 final int limit = src.limit();
463                 src.limit(pos + len);
464                 buf.writeBytes(src);
465                 // Restore the original position and limit because we don't want to consume from `src`.
466                 src.position(pos);
467                 src.limit(limit);
468 
469                 SSL.bioSetByteBuffer(networkBIO, memoryAddress(buf), len, false);
470                 return buf;
471             } catch (Throwable cause) {
472                 buf.release();
473                 PlatformDependent.throwException(cause);
474             }
475         }
476         return null;
477     }
478 
479     /**
480      * Read plaintext data from the OpenSSL internal BIO
481      */
482     private int readPlaintextData(final ByteBuffer dst) {
483         final int sslRead;
484         final int pos = dst.position();
485         if (dst.isDirect()) {
486             sslRead = SSL.readFromSSL(ssl, bufferAddress(dst) + pos, dst.limit() - pos);
487             if (sslRead > 0) {
488                 dst.position(pos + sslRead);
489             }
490         } else {
491             final int limit = dst.limit();
492             final int len = min(maxEncryptedPacketLength0(), limit - pos);
493             final ByteBuf buf = alloc.directBuffer(len);
494             try {
495                 sslRead = SSL.readFromSSL(ssl, memoryAddress(buf), len);
496                 if (sslRead > 0) {
497                     dst.limit(pos + sslRead);
498                     buf.getBytes(buf.readerIndex(), dst);
499                     dst.limit(limit);
500                 }
501             } finally {
502                 buf.release();
503             }
504         }
505 
506         return sslRead;
507     }
508 
509     /**
510      * Visible only for testing!
511      */
512     final synchronized int maxWrapOverhead() {
513         return maxWrapOverhead;
514     }
515 
516     /**
517      * Visible only for testing!
518      */
519     final synchronized int maxEncryptedPacketLength() {
520         return maxEncryptedPacketLength0();
521     }
522 
523     /**
524      * This method is intentionally not synchronized, only use if you know you are in the EventLoop
525      * thread and visibility on {@link #maxWrapOverhead} is achieved via other synchronized blocks.
526      */
527     final int maxEncryptedPacketLength0() {
528         return maxWrapOverhead + MAX_PLAINTEXT_LENGTH;
529     }
530 
531     /**
532      * This method is intentionally not synchronized, only use if you know you are in the EventLoop
533      * thread and visibility on {@link #maxWrapBufferSize} and {@link #maxWrapOverhead} is achieved
534      * via other synchronized blocks.
535      */
536     final int calculateMaxLengthForWrap(int plaintextLength, int numComponents) {
537         return (int) min(maxWrapBufferSize, plaintextLength + (long) maxWrapOverhead * numComponents);
538     }
539 
540     final synchronized int sslPending() {
541         return sslPending0();
542     }
543 
544     /**
545      * It is assumed this method is called in a synchronized block (or the constructor)!
546      */
547     private void calculateMaxWrapOverhead() {
548         maxWrapOverhead = SSL.getMaxWrapOverhead(ssl);
549 
550         // maxWrapBufferSize must be set after maxWrapOverhead because there is a dependency on this value.
551         // If jdkCompatibility mode is off we allow enough space to encrypt 16 buffers at a time. This could be
552         // configurable in the future if necessary.
553         maxWrapBufferSize = jdkCompatibilityMode ? maxEncryptedPacketLength0() : maxEncryptedPacketLength0() << 4;
554     }
555 
556     private int sslPending0() {
557         // OpenSSL has a limitation where if you call SSL_pending before the handshake is complete OpenSSL will throw a
558         // "called a function you should not call" error. Using the TLS_method instead of SSLv23_method may solve this
559         // issue but this API is only available in 1.1.0+ [1].
560         // [1] https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_new.html
561         return handshakeState != HandshakeState.FINISHED ? 0 : SSL.sslPending(ssl);
562     }
563 
564     private boolean isBytesAvailableEnoughForWrap(int bytesAvailable, int plaintextLength, int numComponents) {
565         return bytesAvailable - (long) maxWrapOverhead * numComponents >= plaintextLength;
566     }
567 
568     @Override
569     public final SSLEngineResult wrap(
570             final ByteBuffer[] srcs, int offset, final int length, final ByteBuffer dst) throws SSLException {
571         // Throw required runtime exceptions
572         if (srcs == null) {
573             throw new IllegalArgumentException("srcs is null");
574         }
575         if (dst == null) {
576             throw new IllegalArgumentException("dst is null");
577         }
578 
579         if (offset >= srcs.length || offset + length > srcs.length) {
580             throw new IndexOutOfBoundsException(
581                     "offset: " + offset + ", length: " + length +
582                             " (expected: offset <= offset + length <= srcs.length (" + srcs.length + "))");
583         }
584 
585         if (dst.isReadOnly()) {
586             throw new ReadOnlyBufferException();
587         }
588 
589         synchronized (this) {
590             if (isOutboundDone()) {
591                 // All drained in the outbound buffer
592                 return isInboundDone() || isDestroyed() ? CLOSED_NOT_HANDSHAKING : NEED_UNWRAP_CLOSED;
593             }
594 
595             int bytesProduced = 0;
596             ByteBuf bioReadCopyBuf = null;
597             try {
598                 // Setup the BIO buffer so that we directly write the encryption results into dst.
599                 if (dst.isDirect()) {
600                     SSL.bioSetByteBuffer(networkBIO, bufferAddress(dst) + dst.position(), dst.remaining(),
601                             true);
602                 } else {
603                     bioReadCopyBuf = alloc.directBuffer(dst.remaining());
604                     SSL.bioSetByteBuffer(networkBIO, memoryAddress(bioReadCopyBuf), bioReadCopyBuf.writableBytes(),
605                             true);
606                 }
607 
608                 int bioLengthBefore = SSL.bioLengthByteBuffer(networkBIO);
609 
610                 // Explicit use outboundClosed as we want to drain any bytes that are still present.
611                 if (outboundClosed) {
612                     // There is something left to drain.
613                     // See https://github.com/netty/netty/issues/6260
614                     bytesProduced = SSL.bioFlushByteBuffer(networkBIO);
615                     if (bytesProduced <= 0) {
616                         return newResultMayFinishHandshake(NOT_HANDSHAKING, 0, 0);
617                     }
618                     // It is possible when the outbound was closed there was not enough room in the non-application
619                     // buffers to hold the close_notify. We should keep trying to close until we consume all the data
620                     // OpenSSL can give us.
621                     if (!doSSLShutdown()) {
622                         return newResultMayFinishHandshake(NOT_HANDSHAKING, 0, bytesProduced);
623                     }
624                     bytesProduced = bioLengthBefore - SSL.bioLengthByteBuffer(networkBIO);
625                     return newResultMayFinishHandshake(NEED_WRAP, 0, bytesProduced);
626                 }
627 
628                 // Flush any data that may be implicitly generated by OpenSSL (handshake, close, etc..).
629                 SSLEngineResult.HandshakeStatus status = NOT_HANDSHAKING;
630                 // Prepare OpenSSL to work in server mode and receive handshake
631                 if (handshakeState != HandshakeState.FINISHED) {
632                     if (handshakeState != HandshakeState.STARTED_EXPLICITLY) {
633                         // Update accepted so we know we triggered the handshake via wrap
634                         handshakeState = HandshakeState.STARTED_IMPLICITLY;
635                     }
636 
637                     // Flush any data that may have been written implicitly during the handshake by OpenSSL.
638                     bytesProduced = SSL.bioFlushByteBuffer(networkBIO);
639 
640                     if (bytesProduced > 0 && handshakeException != null) {
641                         // TODO(scott): It is possible that when the handshake failed there was not enough room in the
642                         // non-application buffers to hold the alert. We should get all the data before progressing on.
643                         // However I'm not aware of a way to do this with the OpenSSL APIs.
644                         // See https://github.com/netty/netty/issues/6385.
645 
646                         // We produced / consumed some data during the handshake, signal back to the caller.
647                         // If there is a handshake exception and we have produced data, we should send the data before
648                         // we allow handshake() to throw the handshake exception.
649                         return newResult(NEED_WRAP, 0, bytesProduced);
650                     }
651 
652                     status = handshake();
653 
654                     // Handshake may have generated more data, for example if the internal SSL buffer is small
655                     // we may have freed up space by flushing above.
656                     bytesProduced = bioLengthBefore - SSL.bioLengthByteBuffer(networkBIO);
657 
658                     if (bytesProduced > 0) {
659                         // If we have filled up the dst buffer and we have not finished the handshake we should try to
660                         // wrap again. Otherwise we should only try to wrap again if there is still data pending in
661                         // SSL buffers.
662                         return newResult(mayFinishHandshake(status != FINISHED ?
663                                          bytesProduced == bioLengthBefore ? NEED_WRAP :
664                                          getHandshakeStatus(SSL.bioLengthNonApplication(networkBIO)) : FINISHED),
665                                          0, bytesProduced);
666                     }
667 
668                     if (status == NEED_UNWRAP) {
669                         // Signal if the outbound is done or not.
670                         return isOutboundDone() ? NEED_UNWRAP_CLOSED : NEED_UNWRAP_OK;
671                     }
672 
673                     // Explicit use outboundClosed and not outboundClosed() as we want to drain any bytes that are
674                     // still present.
675                     if (outboundClosed) {
676                         bytesProduced = SSL.bioFlushByteBuffer(networkBIO);
677                         return newResultMayFinishHandshake(status, 0, bytesProduced);
678                     }
679                 }
680 
681                 final int endOffset = offset + length;
682                 if (jdkCompatibilityMode) {
683                     int srcsLen = 0;
684                     for (int i = offset; i < endOffset; ++i) {
685                         final ByteBuffer src = srcs[i];
686                         if (src == null) {
687                             throw new IllegalArgumentException("srcs[" + i + "] is null");
688                         }
689                         if (srcsLen == MAX_PLAINTEXT_LENGTH) {
690                             continue;
691                         }
692 
693                         srcsLen += src.remaining();
694                         if (srcsLen > MAX_PLAINTEXT_LENGTH || srcsLen < 0) {
695                             // If srcLen > MAX_PLAINTEXT_LENGTH or secLen < 0 just set it to MAX_PLAINTEXT_LENGTH.
696                             // This also help us to guard against overflow.
697                             // We not break out here as we still need to check for null entries in srcs[].
698                             srcsLen = MAX_PLAINTEXT_LENGTH;
699                         }
700                     }
701 
702                     // jdkCompatibilityMode will only produce a single TLS packet, and we don't aggregate src buffers,
703                     // so we always fix the number of buffers to 1 when checking if the dst buffer is large enough.
704                     if (!isBytesAvailableEnoughForWrap(dst.remaining(), srcsLen, 1)) {
705                         return new SSLEngineResult(BUFFER_OVERFLOW, getHandshakeStatus(), 0, 0);
706                     }
707                 }
708 
709                 // There was no pending data in the network BIO -- encrypt any application data
710                 int bytesConsumed = 0;
711                 // Flush any data that may have been written implicitly by OpenSSL in case a shutdown/alert occurs.
712                 bytesProduced = SSL.bioFlushByteBuffer(networkBIO);
713                 for (; offset < endOffset; ++offset) {
714                     final ByteBuffer src = srcs[offset];
715                     final int remaining = src.remaining();
716                     if (remaining == 0) {
717                         continue;
718                     }
719 
720                     final int bytesWritten;
721                     if (jdkCompatibilityMode) {
722                         // Write plaintext application data to the SSL engine. We don't have to worry about checking
723                         // if there is enough space if jdkCompatibilityMode because we only wrap at most
724                         // MAX_PLAINTEXT_LENGTH and we loop over the input before hand and check if there is space.
725                         bytesWritten = writePlaintextData(src, min(remaining, MAX_PLAINTEXT_LENGTH - bytesConsumed));
726                     } else {
727                         // OpenSSL's SSL_write keeps state between calls. We should make sure the amount we attempt to
728                         // write is guaranteed to succeed so we don't have to worry about keeping state consistent
729                         // between calls.
730                         final int availableCapacityForWrap = dst.remaining() - bytesProduced - maxWrapOverhead;
731                         if (availableCapacityForWrap <= 0) {
732                             return new SSLEngineResult(BUFFER_OVERFLOW, getHandshakeStatus(), bytesConsumed,
733                                     bytesProduced);
734                         }
735                         bytesWritten = writePlaintextData(src, min(remaining, availableCapacityForWrap));
736                     }
737 
738                     if (bytesWritten > 0) {
739                         bytesConsumed += bytesWritten;
740 
741                         // Determine how much encrypted data was generated:
742                         final int pendingNow = SSL.bioLengthByteBuffer(networkBIO);
743                         bytesProduced += bioLengthBefore - pendingNow;
744                         bioLengthBefore = pendingNow;
745 
746                         if (jdkCompatibilityMode || bytesProduced == dst.remaining()) {
747                             return newResultMayFinishHandshake(status, bytesConsumed, bytesProduced);
748                         }
749                     } else {
750                         int sslError = SSL.getError(ssl, bytesWritten);
751                         if (sslError == SSL.SSL_ERROR_ZERO_RETURN) {
752                             // This means the connection was shutdown correctly, close inbound and outbound
753                             if (!receivedShutdown) {
754                                 closeAll();
755 
756                                 bytesProduced += bioLengthBefore - SSL.bioLengthByteBuffer(networkBIO);
757 
758                                 // If we have filled up the dst buffer and we have not finished the handshake we should
759                                 // try to wrap again. Otherwise we should only try to wrap again if there is still data
760                                 // pending in SSL buffers.
761                                 SSLEngineResult.HandshakeStatus hs = mayFinishHandshake(
762                                         status != FINISHED ? bytesProduced == dst.remaining() ? NEED_WRAP
763                                                 : getHandshakeStatus(SSL.bioLengthNonApplication(networkBIO))
764                                                 : FINISHED);
765                                 return newResult(hs, bytesConsumed, bytesProduced);
766                             }
767 
768                             return newResult(NOT_HANDSHAKING, bytesConsumed, bytesProduced);
769                         } else if (sslError == SSL.SSL_ERROR_WANT_READ) {
770                             // If there is no pending data to read from BIO we should go back to event loop and try
771                             // to read more data [1]. It is also possible that event loop will detect the socket has
772                             // been closed. [1] https://www.openssl.org/docs/manmaster/ssl/SSL_write.html
773                             return newResult(NEED_UNWRAP, bytesConsumed, bytesProduced);
774                         } else if (sslError == SSL.SSL_ERROR_WANT_WRITE) {
775                             // SSL_ERROR_WANT_WRITE typically means that the underlying transport is not writable
776                             // and we should set the "want write" flag on the selector and try again when the
777                             // underlying transport is writable [1]. However we are not directly writing to the
778                             // underlying transport and instead writing to a BIO buffer. The OpenSsl documentation
779                             // says we should do the following [1]:
780                             //
781                             // "When using a buffering BIO, like a BIO pair, data must be written into or retrieved
782                             // out of the BIO before being able to continue."
783                             //
784                             // In practice this means the destination buffer doesn't have enough space for OpenSSL
785                             // to write encrypted data to. This is an OVERFLOW condition.
786                             // [1] https://www.openssl.org/docs/manmaster/ssl/SSL_write.html
787                             return newResult(BUFFER_OVERFLOW, status, bytesConsumed, bytesProduced);
788                         } else {
789                             // Everything else is considered as error
790                             throw shutdownWithError("SSL_write");
791                         }
792                     }
793                 }
794                 return newResultMayFinishHandshake(status, bytesConsumed, bytesProduced);
795             } finally {
796                 SSL.bioClearByteBuffer(networkBIO);
797                 if (bioReadCopyBuf == null) {
798                     dst.position(dst.position() + bytesProduced);
799                 } else {
800                     assert bioReadCopyBuf.readableBytes() <= dst.remaining() : "The destination buffer " + dst +
801                             " didn't have enough remaining space to hold the encrypted content in " + bioReadCopyBuf;
802                     dst.put(bioReadCopyBuf.internalNioBuffer(bioReadCopyBuf.readerIndex(), bytesProduced));
803                     bioReadCopyBuf.release();
804                 }
805             }
806         }
807     }
808 
809     private SSLEngineResult newResult(SSLEngineResult.HandshakeStatus hs, int bytesConsumed, int bytesProduced) {
810         return newResult(OK, hs, bytesConsumed, bytesProduced);
811     }
812 
813     private SSLEngineResult newResult(SSLEngineResult.Status status, SSLEngineResult.HandshakeStatus hs,
814                                       int bytesConsumed, int bytesProduced) {
815         // If isOutboundDone, then the data from the network BIO
816         // was the close_notify message and all was consumed we are not required to wait
817         // for the receipt the peer's close_notify message -- shutdown.
818         if (isOutboundDone()) {
819             if (isInboundDone()) {
820                 // If the inbound was done as well, we need to ensure we return NOT_HANDSHAKING to signal we are done.
821                 hs = NOT_HANDSHAKING;
822 
823                 // As the inbound and the outbound is done we can shutdown the engine now.
824                 shutdown();
825             }
826             return new SSLEngineResult(CLOSED, hs, bytesConsumed, bytesProduced);
827         }
828         return new SSLEngineResult(status, hs, bytesConsumed, bytesProduced);
829     }
830 
831     private SSLEngineResult newResultMayFinishHandshake(SSLEngineResult.HandshakeStatus hs,
832                                                         int bytesConsumed, int bytesProduced) throws SSLException {
833         return newResult(mayFinishHandshake(hs != FINISHED ? getHandshakeStatus() : FINISHED),
834                          bytesConsumed, bytesProduced);
835     }
836 
837     private SSLEngineResult newResultMayFinishHandshake(SSLEngineResult.Status status,
838                                                         SSLEngineResult.HandshakeStatus hs,
839                                                         int bytesConsumed, int bytesProduced) throws SSLException {
840         return newResult(status, mayFinishHandshake(hs != FINISHED ? getHandshakeStatus() : FINISHED),
841                          bytesConsumed, bytesProduced);
842     }
843 
844     /**
845      * Log the error, shutdown the engine and throw an exception.
846      */
847     private SSLException shutdownWithError(String operations) {
848         String err = SSL.getLastError();
849         return shutdownWithError(operations, err);
850     }
851 
852     private SSLException shutdownWithError(String operation, String err) {
853         if (logger.isDebugEnabled()) {
854             logger.debug("{} failed: OpenSSL error: {}", operation, err);
855         }
856 
857         // There was an internal error -- shutdown
858         shutdown();
859         if (handshakeState == HandshakeState.FINISHED) {
860             return new SSLException(err);
861         }
862         return new SSLHandshakeException(err);
863     }
864 
865     public final SSLEngineResult unwrap(
866             final ByteBuffer[] srcs, int srcsOffset, final int srcsLength,
867             final ByteBuffer[] dsts, int dstsOffset, final int dstsLength) throws SSLException {
868 
869         // Throw required runtime exceptions
870         if (srcs == null) {
871             throw new NullPointerException("srcs");
872         }
873         if (srcsOffset >= srcs.length
874                 || srcsOffset + srcsLength > srcs.length) {
875             throw new IndexOutOfBoundsException(
876                     "offset: " + srcsOffset + ", length: " + srcsLength +
877                             " (expected: offset <= offset + length <= srcs.length (" + srcs.length + "))");
878         }
879         if (dsts == null) {
880             throw new IllegalArgumentException("dsts is null");
881         }
882         if (dstsOffset >= dsts.length || dstsOffset + dstsLength > dsts.length) {
883             throw new IndexOutOfBoundsException(
884                     "offset: " + dstsOffset + ", length: " + dstsLength +
885                             " (expected: offset <= offset + length <= dsts.length (" + dsts.length + "))");
886         }
887         long capacity = 0;
888         final int dstsEndOffset = dstsOffset + dstsLength;
889         for (int i = dstsOffset; i < dstsEndOffset; i ++) {
890             ByteBuffer dst = dsts[i];
891             if (dst == null) {
892                 throw new IllegalArgumentException("dsts[" + i + "] is null");
893             }
894             if (dst.isReadOnly()) {
895                 throw new ReadOnlyBufferException();
896             }
897             capacity += dst.remaining();
898         }
899 
900         final int srcsEndOffset = srcsOffset + srcsLength;
901         long len = 0;
902         for (int i = srcsOffset; i < srcsEndOffset; i++) {
903             ByteBuffer src = srcs[i];
904             if (src == null) {
905                 throw new IllegalArgumentException("srcs[" + i + "] is null");
906             }
907             len += src.remaining();
908         }
909 
910         synchronized (this) {
911             if (isInboundDone()) {
912                 return isOutboundDone() || isDestroyed() ? CLOSED_NOT_HANDSHAKING : NEED_WRAP_CLOSED;
913             }
914 
915             SSLEngineResult.HandshakeStatus status = NOT_HANDSHAKING;
916             // Prepare OpenSSL to work in server mode and receive handshake
917             if (handshakeState != HandshakeState.FINISHED) {
918                 if (handshakeState != HandshakeState.STARTED_EXPLICITLY) {
919                     // Update accepted so we know we triggered the handshake via wrap
920                     handshakeState = HandshakeState.STARTED_IMPLICITLY;
921                 }
922 
923                 status = handshake();
924                 if (status == NEED_WRAP) {
925                     return NEED_WRAP_OK;
926                 }
927                 // Check if the inbound is considered to be closed if so let us try to wrap again.
928                 if (isInboundDone) {
929                     return NEED_WRAP_CLOSED;
930                 }
931             }
932 
933             int sslPending = sslPending0();
934             int packetLength;
935             // The JDK implies that only a single SSL packet should be processed per unwrap call [1]. If we are in
936             // JDK compatibility mode then we should honor this, but if not we just wrap as much as possible. If there
937             // are multiple records or partial records this may reduce thrashing events through the pipeline.
938             // [1] https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLEngine.html
939             if (jdkCompatibilityMode) {
940                 if (len < SSL_RECORD_HEADER_LENGTH) {
941                     return newResultMayFinishHandshake(BUFFER_UNDERFLOW, status, 0, 0);
942                 }
943 
944                 packetLength = SslUtils.getEncryptedPacketLength(srcs, srcsOffset);
945                 if (packetLength == SslUtils.NOT_ENCRYPTED) {
946                     throw new NotSslRecordException("not an SSL/TLS record");
947                 }
948 
949                 final int packetLengthDataOnly = packetLength - SSL_RECORD_HEADER_LENGTH;
950                 if (packetLengthDataOnly > capacity) {
951                     // Not enough space in the destination buffer so signal the caller that the buffer needs to be
952                     // increased.
953                     if (packetLengthDataOnly > MAX_RECORD_SIZE) {
954                         // The packet length MUST NOT exceed 2^14 [1]. However we do accommodate more data to support
955                         // legacy use cases which may violate this condition (e.g. OpenJDK's SslEngineImpl). If the max
956                         // length is exceeded we fail fast here to avoid an infinite loop due to the fact that we
957                         // won't allocate a buffer large enough.
958                         // [1] https://tools.ietf.org/html/rfc5246#section-6.2.1
959                         throw new SSLException("Illegal packet length: " + packetLengthDataOnly + " > " +
960                                                 session.getApplicationBufferSize());
961                     } else {
962                         session.tryExpandApplicationBufferSize(packetLengthDataOnly);
963                     }
964                     return newResultMayFinishHandshake(BUFFER_OVERFLOW, status, 0, 0);
965                 }
966 
967                 if (len < packetLength) {
968                     // We either don't have enough data to read the packet length or not enough for reading the whole
969                     // packet.
970                     return newResultMayFinishHandshake(BUFFER_UNDERFLOW, status, 0, 0);
971                 }
972             } else if (len == 0 && sslPending <= 0) {
973                 return newResultMayFinishHandshake(BUFFER_UNDERFLOW, status, 0, 0);
974             } else if (capacity == 0) {
975                 return newResultMayFinishHandshake(BUFFER_OVERFLOW, status, 0, 0);
976             } else {
977                 packetLength = (int) min(MAX_VALUE, len);
978             }
979 
980             // This must always be the case when we reached here as if not we returned BUFFER_UNDERFLOW.
981             assert srcsOffset < srcsEndOffset;
982 
983             // This must always be the case if we reached here.
984             assert capacity > 0;
985 
986             // Number of produced bytes
987             int bytesProduced = 0;
988             int bytesConsumed = 0;
989             try {
990                 srcLoop:
991                 for (;;) {
992                     ByteBuffer src = srcs[srcsOffset];
993                     int remaining = src.remaining();
994                     final ByteBuf bioWriteCopyBuf;
995                     int pendingEncryptedBytes;
996                     if (remaining == 0) {
997                         if (sslPending <= 0) {
998                             // We must skip empty buffers as BIO_write will return 0 if asked to write something
999                             // with length 0.
1000                             if (++srcsOffset >= srcsEndOffset) {
1001                                 break;
1002                             }
1003                             continue;
1004                         } else {
1005                             bioWriteCopyBuf = null;
1006                             pendingEncryptedBytes = SSL.bioLengthByteBuffer(networkBIO);
1007                         }
1008                     } else {
1009                         // Write more encrypted data into the BIO. Ensure we only read one packet at a time as
1010                         // stated in the SSLEngine javadocs.
1011                         pendingEncryptedBytes = min(packetLength, remaining);
1012                         bioWriteCopyBuf = writeEncryptedData(src, pendingEncryptedBytes);
1013                     }
1014                     try {
1015                         for (;;) {
1016                             ByteBuffer dst = dsts[dstsOffset];
1017                             if (!dst.hasRemaining()) {
1018                                 // No space left in the destination buffer, skip it.
1019                                 if (++dstsOffset >= dstsEndOffset) {
1020                                     break srcLoop;
1021                                 }
1022                                 continue;
1023                             }
1024 
1025                             int bytesRead = readPlaintextData(dst);
1026                             // We are directly using the ByteBuffer memory for the write, and so we only know what has
1027                             // been consumed after we let SSL decrypt the data. At this point we should update the
1028                             // number of bytes consumed, update the ByteBuffer position, and release temp ByteBuf.
1029                             int localBytesConsumed = pendingEncryptedBytes - SSL.bioLengthByteBuffer(networkBIO);
1030                             bytesConsumed += localBytesConsumed;
1031                             packetLength -= localBytesConsumed;
1032                             pendingEncryptedBytes -= localBytesConsumed;
1033                             src.position(src.position() + localBytesConsumed);
1034 
1035                             if (bytesRead > 0) {
1036                                 bytesProduced += bytesRead;
1037 
1038                                 if (!dst.hasRemaining()) {
1039                                     sslPending = sslPending0();
1040                                     // Move to the next dst buffer as this one is full.
1041                                     if (++dstsOffset >= dstsEndOffset) {
1042                                         return sslPending > 0 ?
1043                                                 newResult(BUFFER_OVERFLOW, status, bytesConsumed, bytesProduced) :
1044                                                 newResultMayFinishHandshake(isInboundDone() ? CLOSED : OK, status,
1045                                                                             bytesConsumed, bytesProduced);
1046                                     }
1047                                 } else if (packetLength == 0 || jdkCompatibilityMode) {
1048                                     // We either consumed all data or we are in jdkCompatibilityMode and have consumed
1049                                     // a single TLS packet and should stop consuming until this method is called again.
1050                                     break srcLoop;
1051                                 }
1052                             } else {
1053                                 int sslError = SSL.getError(ssl, bytesRead);
1054                                 if (sslError == SSL.SSL_ERROR_WANT_READ || sslError == SSL.SSL_ERROR_WANT_WRITE) {
1055                                     // break to the outer loop as we want to read more data which means we need to
1056                                     // write more to the BIO.
1057                                     break;
1058                                 } else if (sslError == SSL.SSL_ERROR_ZERO_RETURN) {
1059                                     // This means the connection was shutdown correctly, close inbound and outbound
1060                                     if (!receivedShutdown) {
1061                                         closeAll();
1062                                     }
1063                                     return newResultMayFinishHandshake(isInboundDone() ? CLOSED : OK, status,
1064                                                                        bytesConsumed, bytesProduced);
1065                                 } else {
1066                                     return sslReadErrorResult(SSL.getLastErrorNumber(), bytesConsumed,
1067                                                               bytesProduced);
1068                                 }
1069                             }
1070                         }
1071 
1072                         if (++srcsOffset >= srcsEndOffset) {
1073                             break;
1074                         }
1075                     } finally {
1076                         if (bioWriteCopyBuf != null) {
1077                             bioWriteCopyBuf.release();
1078                         }
1079                     }
1080                 }
1081             } finally {
1082                 SSL.bioClearByteBuffer(networkBIO);
1083                 rejectRemoteInitiatedRenegotiation();
1084             }
1085 
1086             // Check to see if we received a close_notify message from the peer.
1087             if (!receivedShutdown && (SSL.getShutdown(ssl) & SSL.SSL_RECEIVED_SHUTDOWN) == SSL.SSL_RECEIVED_SHUTDOWN) {
1088                 closeAll();
1089             }
1090 
1091             return newResultMayFinishHandshake(isInboundDone() ? CLOSED : OK, status, bytesConsumed, bytesProduced);
1092         }
1093     }
1094 
1095     private SSLEngineResult sslReadErrorResult(int err, int bytesConsumed, int bytesProduced) throws SSLException {
1096         String errStr = SSL.getErrorString(err);
1097 
1098         // Check if we have a pending handshakeException and if so see if we need to consume all pending data from the
1099         // BIO first or can just shutdown and throw it now.
1100         // This is needed so we ensure close_notify etc is correctly send to the remote peer.
1101         // See https://github.com/netty/netty/issues/3900
1102         if (SSL.bioLengthNonApplication(networkBIO) > 0) {
1103             if (handshakeException == null && handshakeState != HandshakeState.FINISHED) {
1104                 // we seems to have data left that needs to be transfered and so the user needs
1105                 // call wrap(...). Store the error so we can pick it up later.
1106                 handshakeException = new SSLHandshakeException(errStr);
1107             }
1108             return new SSLEngineResult(OK, NEED_WRAP, bytesConsumed, bytesProduced);
1109         }
1110         throw shutdownWithError("SSL_read", errStr);
1111     }
1112 
1113     private void closeAll() throws SSLException {
1114         receivedShutdown = true;
1115         closeOutbound();
1116         closeInbound();
1117     }
1118 
1119     private void rejectRemoteInitiatedRenegotiation() throws SSLHandshakeException {
1120         // As rejectRemoteInitiatedRenegotiation() is called in a finally block we also need to check if we shutdown
1121         // the engine before as otherwise SSL.getHandshakeCount(ssl) will throw an NPE if the passed in ssl is 0.
1122         // See https://github.com/netty/netty/issues/7353
1123         if (!isDestroyed() && SSL.getHandshakeCount(ssl) > 1) {
1124             // TODO: In future versions me may also want to send a fatal_alert to the client and so notify it
1125             // that the renegotiation failed.
1126             shutdown();
1127             throw new SSLHandshakeException("remote-initiated renegotiation not allowed");
1128         }
1129     }
1130 
1131     public final SSLEngineResult unwrap(final ByteBuffer[] srcs, final ByteBuffer[] dsts) throws SSLException {
1132         return unwrap(srcs, 0, srcs.length, dsts, 0, dsts.length);
1133     }
1134 
1135     private ByteBuffer[] singleSrcBuffer(ByteBuffer src) {
1136         singleSrcBuffer[0] = src;
1137         return singleSrcBuffer;
1138     }
1139 
1140     private void resetSingleSrcBuffer() {
1141         singleSrcBuffer[0] = null;
1142     }
1143 
1144     private ByteBuffer[] singleDstBuffer(ByteBuffer src) {
1145         singleDstBuffer[0] = src;
1146         return singleDstBuffer;
1147     }
1148 
1149     private void resetSingleDstBuffer() {
1150         singleDstBuffer[0] = null;
1151     }
1152 
1153     @Override
1154     public final synchronized SSLEngineResult unwrap(
1155             final ByteBuffer src, final ByteBuffer[] dsts, final int offset, final int length) throws SSLException {
1156         try {
1157             return unwrap(singleSrcBuffer(src), 0, 1, dsts, offset, length);
1158         } finally {
1159             resetSingleSrcBuffer();
1160         }
1161     }
1162 
1163     @Override
1164     public final synchronized SSLEngineResult wrap(ByteBuffer src, ByteBuffer dst) throws SSLException {
1165         try {
1166             return wrap(singleSrcBuffer(src), dst);
1167         } finally {
1168             resetSingleSrcBuffer();
1169         }
1170     }
1171 
1172     @Override
1173     public final synchronized SSLEngineResult unwrap(ByteBuffer src, ByteBuffer dst) throws SSLException {
1174         try {
1175             return unwrap(singleSrcBuffer(src), singleDstBuffer(dst));
1176         } finally {
1177             resetSingleSrcBuffer();
1178             resetSingleDstBuffer();
1179         }
1180     }
1181 
1182     @Override
1183     public final synchronized SSLEngineResult unwrap(ByteBuffer src, ByteBuffer[] dsts) throws SSLException {
1184         try {
1185             return unwrap(singleSrcBuffer(src), dsts);
1186         } finally {
1187             resetSingleSrcBuffer();
1188         }
1189     }
1190 
1191     @Override
1192     public final Runnable getDelegatedTask() {
1193         // Currently, we do not delegate SSL computation tasks
1194         // TODO: in the future, possibly create tasks to do encrypt / decrypt async
1195         return null;
1196     }
1197 
1198     @Override
1199     public final synchronized void closeInbound() throws SSLException {
1200         if (isInboundDone) {
1201             return;
1202         }
1203 
1204         isInboundDone = true;
1205 
1206         if (isOutboundDone()) {
1207             // Only call shutdown if there is no outbound data pending.
1208             // See https://github.com/netty/netty/issues/6167
1209             shutdown();
1210         }
1211 
1212         if (handshakeState != HandshakeState.NOT_STARTED && !receivedShutdown) {
1213             throw new SSLException(
1214                     "Inbound closed before receiving peer's close_notify: possible truncation attack?");
1215         }
1216     }
1217 
1218     @Override
1219     public final synchronized boolean isInboundDone() {
1220         return isInboundDone;
1221     }
1222 
1223     @Override
1224     public final synchronized void closeOutbound() {
1225         if (outboundClosed) {
1226             return;
1227         }
1228 
1229         outboundClosed = true;
1230 
1231         if (handshakeState != HandshakeState.NOT_STARTED && !isDestroyed()) {
1232             int mode = SSL.getShutdown(ssl);
1233             if ((mode & SSL.SSL_SENT_SHUTDOWN) != SSL.SSL_SENT_SHUTDOWN) {
1234                 doSSLShutdown();
1235             }
1236         } else {
1237             // engine closing before initial handshake
1238             shutdown();
1239         }
1240     }
1241 
1242     /**
1243      * Attempt to call {@link SSL#shutdownSSL(long)}.
1244      * @return {@code false} if the call to {@link SSL#shutdownSSL(long)} was not attempted or returned an error.
1245      */
1246     private boolean doSSLShutdown() {
1247         if (SSL.isInInit(ssl) != 0) {
1248             // Only try to call SSL_shutdown if we are not in the init state anymore.
1249             // Otherwise we will see 'error:140E0197:SSL routines:SSL_shutdown:shutdown while in init' in our logs.
1250             //
1251             // See also http://hg.nginx.org/nginx/rev/062c189fee20
1252             return false;
1253         }
1254         int err = SSL.shutdownSSL(ssl);
1255         if (err < 0) {
1256             int sslErr = SSL.getError(ssl, err);
1257             if (sslErr == SSL.SSL_ERROR_SYSCALL || sslErr == SSL.SSL_ERROR_SSL) {
1258                 if (logger.isDebugEnabled()) {
1259                     logger.debug("SSL_shutdown failed: OpenSSL error: {}", SSL.getLastError());
1260                 }
1261                 // There was an internal error -- shutdown
1262                 shutdown();
1263                 return false;
1264             }
1265             SSL.clearError();
1266         }
1267         return true;
1268     }
1269 
1270     @Override
1271     public final synchronized boolean isOutboundDone() {
1272         // Check if there is anything left in the outbound buffer.
1273         // We need to ensure we only call SSL.pendingWrittenBytesInBIO(...) if the engine was not destroyed yet.
1274         return outboundClosed && (networkBIO == 0 || SSL.bioLengthNonApplication(networkBIO) == 0);
1275     }
1276 
1277     @Override
1278     public final String[] getSupportedCipherSuites() {
1279         return OpenSsl.AVAILABLE_CIPHER_SUITES.toArray(new String[OpenSsl.AVAILABLE_CIPHER_SUITES.size()]);
1280     }
1281 
1282     @Override
1283     public final String[] getEnabledCipherSuites() {
1284         final String[] enabled;
1285         synchronized (this) {
1286             if (!isDestroyed()) {
1287                 enabled = SSL.getCiphers(ssl);
1288             } else {
1289                 return EmptyArrays.EMPTY_STRINGS;
1290             }
1291         }
1292         if (enabled == null) {
1293             return EmptyArrays.EMPTY_STRINGS;
1294         } else {
1295             synchronized (this) {
1296                 for (int i = 0; i < enabled.length; i++) {
1297                     String mapped = toJavaCipherSuite(enabled[i]);
1298                     if (mapped != null) {
1299                         enabled[i] = mapped;
1300                     }
1301                 }
1302             }
1303             return enabled;
1304         }
1305     }
1306 
1307     @Override
1308     public final void setEnabledCipherSuites(String[] cipherSuites) {
1309         checkNotNull(cipherSuites, "cipherSuites");
1310 
1311         final StringBuilder buf = new StringBuilder();
1312         for (String c: cipherSuites) {
1313             if (c == null) {
1314                 break;
1315             }
1316 
1317             String converted = CipherSuiteConverter.toOpenSsl(c);
1318             if (converted == null) {
1319                 converted = c;
1320             }
1321 
1322             if (!OpenSsl.isCipherSuiteAvailable(converted)) {
1323                 throw new IllegalArgumentException("unsupported cipher suite: " + c + '(' + converted + ')');
1324             }
1325 
1326             buf.append(converted);
1327             buf.append(':');
1328         }
1329 
1330         if (buf.length() == 0) {
1331             throw new IllegalArgumentException("empty cipher suites");
1332         }
1333         buf.setLength(buf.length() - 1);
1334 
1335         final String cipherSuiteSpec = buf.toString();
1336 
1337         synchronized (this) {
1338             if (!isDestroyed()) {
1339                 try {
1340                     SSL.setCipherSuites(ssl, cipherSuiteSpec);
1341                 } catch (Exception e) {
1342                     throw new IllegalStateException("failed to enable cipher suites: " + cipherSuiteSpec, e);
1343                 }
1344             } else {
1345                 throw new IllegalStateException("failed to enable cipher suites: " + cipherSuiteSpec);
1346             }
1347         }
1348     }
1349 
1350     @Override
1351     public final String[] getSupportedProtocols() {
1352         return OpenSsl.SUPPORTED_PROTOCOLS_SET.toArray(new String[OpenSsl.SUPPORTED_PROTOCOLS_SET.size()]);
1353     }
1354 
1355     @Override
1356     public final String[] getEnabledProtocols() {
1357         List<String> enabled = new ArrayList<String>(6);
1358         // Seems like there is no way to explicit disable SSLv2Hello in openssl so it is always enabled
1359         enabled.add(PROTOCOL_SSL_V2_HELLO);
1360 
1361         int opts;
1362         synchronized (this) {
1363             if (!isDestroyed()) {
1364                 opts = SSL.getOptions(ssl);
1365             } else {
1366                 return enabled.toArray(new String[1]);
1367             }
1368         }
1369         if (isProtocolEnabled(opts, SSL.SSL_OP_NO_TLSv1, PROTOCOL_TLS_V1)) {
1370             enabled.add(PROTOCOL_TLS_V1);
1371         }
1372         if (isProtocolEnabled(opts, SSL.SSL_OP_NO_TLSv1_1, PROTOCOL_TLS_V1_1)) {
1373             enabled.add(PROTOCOL_TLS_V1_1);
1374         }
1375         if (isProtocolEnabled(opts, SSL.SSL_OP_NO_TLSv1_2, PROTOCOL_TLS_V1_2)) {
1376             enabled.add(PROTOCOL_TLS_V1_2);
1377         }
1378         if (isProtocolEnabled(opts, SSL.SSL_OP_NO_SSLv2, PROTOCOL_SSL_V2)) {
1379             enabled.add(PROTOCOL_SSL_V2);
1380         }
1381         if (isProtocolEnabled(opts, SSL.SSL_OP_NO_SSLv3, PROTOCOL_SSL_V3)) {
1382             enabled.add(PROTOCOL_SSL_V3);
1383         }
1384         return enabled.toArray(new String[enabled.size()]);
1385     }
1386 
1387     private static boolean isProtocolEnabled(int opts, int disableMask, String protocolString) {
1388         // We also need to check if the actual protocolString is supported as depending on the openssl API
1389         // implementations it may use a disableMask of 0 (BoringSSL is doing this for example).
1390         return (opts & disableMask) == 0 && OpenSsl.SUPPORTED_PROTOCOLS_SET.contains(protocolString);
1391     }
1392 
1393     /**
1394      * {@inheritDoc}
1395      * TLS doesn't support a way to advertise non-contiguous versions from the client's perspective, and the client
1396      * just advertises the max supported version. The TLS protocol also doesn't support all different combinations of
1397      * discrete protocols, and instead assumes contiguous ranges. OpenSSL has some unexpected behavior
1398      * (e.g. handshake failures) if non-contiguous protocols are used even where there is a compatible set of protocols
1399      * and ciphers. For these reasons this method will determine the minimum protocol and the maximum protocol and
1400      * enabled a contiguous range from [min protocol, max protocol] in OpenSSL.
1401      */
1402     @Override
1403     public final void setEnabledProtocols(String[] protocols) {
1404         if (protocols == null) {
1405             // This is correct from the API docs
1406             throw new IllegalArgumentException();
1407         }
1408         int minProtocolIndex = OPENSSL_OP_NO_PROTOCOLS.length;
1409         int maxProtocolIndex = 0;
1410         for (String p: protocols) {
1411             if (!OpenSsl.SUPPORTED_PROTOCOLS_SET.contains(p)) {
1412                 throw new IllegalArgumentException("Protocol " + p + " is not supported.");
1413             }
1414             if (p.equals(PROTOCOL_SSL_V2)) {
1415                 if (minProtocolIndex > OPENSSL_OP_NO_PROTOCOL_INDEX_SSLV2) {
1416                     minProtocolIndex = OPENSSL_OP_NO_PROTOCOL_INDEX_SSLV2;
1417                 }
1418                 if (maxProtocolIndex < OPENSSL_OP_NO_PROTOCOL_INDEX_SSLV2) {
1419                     maxProtocolIndex = OPENSSL_OP_NO_PROTOCOL_INDEX_SSLV2;
1420                 }
1421             } else if (p.equals(PROTOCOL_SSL_V3)) {
1422                 if (minProtocolIndex > OPENSSL_OP_NO_PROTOCOL_INDEX_SSLV3) {
1423                     minProtocolIndex = OPENSSL_OP_NO_PROTOCOL_INDEX_SSLV3;
1424                 }
1425                 if (maxProtocolIndex < OPENSSL_OP_NO_PROTOCOL_INDEX_SSLV3) {
1426                     maxProtocolIndex = OPENSSL_OP_NO_PROTOCOL_INDEX_SSLV3;
1427                 }
1428             } else if (p.equals(PROTOCOL_TLS_V1)) {
1429                 if (minProtocolIndex > OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1) {
1430                     minProtocolIndex = OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1;
1431                 }
1432                 if (maxProtocolIndex < OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1) {
1433                     maxProtocolIndex = OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1;
1434                 }
1435             } else if (p.equals(PROTOCOL_TLS_V1_1)) {
1436                 if (minProtocolIndex > OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_1) {
1437                     minProtocolIndex = OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_1;
1438                 }
1439                 if (maxProtocolIndex < OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_1) {
1440                     maxProtocolIndex = OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_1;
1441                 }
1442             } else if (p.equals(PROTOCOL_TLS_V1_2)) {
1443                 if (minProtocolIndex > OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_2) {
1444                     minProtocolIndex = OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_2;
1445                 }
1446                 if (maxProtocolIndex < OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_2) {
1447                     maxProtocolIndex = OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_2;
1448                 }
1449             }
1450         }
1451         synchronized (this) {
1452             if (!isDestroyed()) {
1453                 // Clear out options which disable protocols
1454                 SSL.clearOptions(ssl, SSL.SSL_OP_NO_SSLv2 | SSL.SSL_OP_NO_SSLv3 | SSL.SSL_OP_NO_TLSv1 |
1455                                       SSL.SSL_OP_NO_TLSv1_1 | SSL.SSL_OP_NO_TLSv1_2);
1456 
1457                 int opts = 0;
1458                 for (int i = 0; i < minProtocolIndex; ++i) {
1459                     opts |= OPENSSL_OP_NO_PROTOCOLS[i];
1460                 }
1461                 assert maxProtocolIndex != MAX_VALUE;
1462                 for (int i = maxProtocolIndex + 1; i < OPENSSL_OP_NO_PROTOCOLS.length; ++i) {
1463                     opts |= OPENSSL_OP_NO_PROTOCOLS[i];
1464                 }
1465 
1466                 // Disable protocols we do not want
1467                 SSL.setOptions(ssl, opts);
1468             } else {
1469                 throw new IllegalStateException("failed to enable protocols: " + Arrays.asList(protocols));
1470             }
1471         }
1472     }
1473 
1474     @Override
1475     public final SSLSession getSession() {
1476         return session;
1477     }
1478 
1479     @Override
1480     public final synchronized void beginHandshake() throws SSLException {
1481         switch (handshakeState) {
1482             case STARTED_IMPLICITLY:
1483                 checkEngineClosed(BEGIN_HANDSHAKE_ENGINE_CLOSED);
1484 
1485                 // A user did not start handshake by calling this method by him/herself,
1486                 // but handshake has been started already by wrap() or unwrap() implicitly.
1487                 // Because it's the user's first time to call this method, it is unfair to
1488                 // raise an exception.  From the user's standpoint, he or she never asked
1489                 // for renegotiation.
1490 
1491                 handshakeState = HandshakeState.STARTED_EXPLICITLY; // Next time this method is invoked by the user,
1492                 calculateMaxWrapOverhead();
1493                 // we should raise an exception.
1494                 break;
1495             case STARTED_EXPLICITLY:
1496                 // Nothing to do as the handshake is not done yet.
1497                 break;
1498             case FINISHED:
1499                 throw RENEGOTIATION_UNSUPPORTED;
1500             case NOT_STARTED:
1501                 handshakeState = HandshakeState.STARTED_EXPLICITLY;
1502                 handshake();
1503                 calculateMaxWrapOverhead();
1504                 break;
1505             default:
1506                 throw new Error();
1507         }
1508     }
1509 
1510     private void checkEngineClosed(SSLException cause) throws SSLException {
1511         if (isDestroyed()) {
1512             throw cause;
1513         }
1514     }
1515 
1516     private static SSLEngineResult.HandshakeStatus pendingStatus(int pendingStatus) {
1517         // Depending on if there is something left in the BIO we need to WRAP or UNWRAP
1518         return pendingStatus > 0 ? NEED_WRAP : NEED_UNWRAP;
1519     }
1520 
1521     private static boolean isEmpty(Object[] arr) {
1522         return arr == null || arr.length == 0;
1523     }
1524 
1525     private static boolean isEmpty(byte[] cert) {
1526         return cert == null || cert.length == 0;
1527     }
1528 
1529     private SSLEngineResult.HandshakeStatus handshake() throws SSLException {
1530         if (handshakeState == HandshakeState.FINISHED) {
1531             return FINISHED;
1532         }
1533         checkEngineClosed(HANDSHAKE_ENGINE_CLOSED);
1534 
1535         // Check if we have a pending handshakeException and if so see if we need to consume all pending data from the
1536         // BIO first or can just shutdown and throw it now.
1537         // This is needed so we ensure close_notify etc is correctly send to the remote peer.
1538         // See https://github.com/netty/netty/issues/3900
1539         SSLHandshakeException exception = handshakeException;
1540         if (exception != null) {
1541             if (SSL.bioLengthNonApplication(networkBIO) > 0) {
1542                 // There is something pending, we need to consume it first via a WRAP so we don't loose anything.
1543                 return NEED_WRAP;
1544             }
1545             // No more data left to send to the remote peer, so null out the exception field, shutdown and throw
1546             // the exception.
1547             handshakeException = null;
1548             shutdown();
1549             throw exception;
1550         }
1551 
1552         // Adding the OpenSslEngine to the OpenSslEngineMap so it can be used in the AbstractCertificateVerifier.
1553         engineMap.add(this);
1554         if (lastAccessed == -1) {
1555             lastAccessed = System.currentTimeMillis();
1556         }
1557 
1558         if (!certificateSet && keyMaterialManager != null) {
1559             certificateSet = true;
1560             keyMaterialManager.setKeyMaterial(this);
1561         }
1562 
1563         int code = SSL.doHandshake(ssl);
1564         if (code <= 0) {
1565             // Check if we have a pending exception that was created during the handshake and if so throw it after
1566             // shutdown the connection.
1567             if (handshakeException != null) {
1568                 exception = handshakeException;
1569                 handshakeException = null;
1570                 shutdown();
1571                 throw exception;
1572             }
1573 
1574             int sslError = SSL.getError(ssl, code);
1575             if (sslError == SSL.SSL_ERROR_WANT_READ || sslError == SSL.SSL_ERROR_WANT_WRITE) {
1576                 return pendingStatus(SSL.bioLengthNonApplication(networkBIO));
1577             } else {
1578                 // Everything else is considered as error
1579                 throw shutdownWithError("SSL_do_handshake");
1580             }
1581         }
1582         // if SSL_do_handshake returns > 0 or sslError == SSL.SSL_ERROR_NAME it means the handshake was finished.
1583         session.handshakeFinished();
1584         engineMap.remove(ssl);
1585         return FINISHED;
1586     }
1587 
1588     private SSLEngineResult.HandshakeStatus mayFinishHandshake(SSLEngineResult.HandshakeStatus status)
1589             throws SSLException {
1590         if (status == NOT_HANDSHAKING && handshakeState != HandshakeState.FINISHED) {
1591             // If the status was NOT_HANDSHAKING and we not finished the handshake we need to call
1592             // SSL_do_handshake() again
1593             return handshake();
1594         }
1595         return status;
1596     }
1597 
1598     @Override
1599     public final synchronized SSLEngineResult.HandshakeStatus getHandshakeStatus() {
1600         // Check if we are in the initial handshake phase or shutdown phase
1601         return needPendingStatus() ? pendingStatus(SSL.bioLengthNonApplication(networkBIO)) : NOT_HANDSHAKING;
1602     }
1603 
1604     private SSLEngineResult.HandshakeStatus getHandshakeStatus(int pending) {
1605         // Check if we are in the initial handshake phase or shutdown phase
1606         return needPendingStatus() ? pendingStatus(pending) : NOT_HANDSHAKING;
1607     }
1608 
1609     private boolean needPendingStatus() {
1610         return handshakeState != HandshakeState.NOT_STARTED && !isDestroyed()
1611                 && (handshakeState != HandshakeState.FINISHED || isInboundDone() || isOutboundDone());
1612     }
1613 
1614     /**
1615      * Converts the specified OpenSSL cipher suite to the Java cipher suite.
1616      */
1617     private String toJavaCipherSuite(String openSslCipherSuite) {
1618         if (openSslCipherSuite == null) {
1619             return null;
1620         }
1621 
1622         String prefix = toJavaCipherSuitePrefix(SSL.getVersion(ssl));
1623         return CipherSuiteConverter.toJava(openSslCipherSuite, prefix);
1624     }
1625 
1626     /**
1627      * Converts the protocol version string returned by {@link SSL#getVersion(long)} to protocol family string.
1628      */
1629     private static String toJavaCipherSuitePrefix(String protocolVersion) {
1630         final char c;
1631         if (protocolVersion == null || protocolVersion.isEmpty()) {
1632             c = 0;
1633         } else {
1634             c = protocolVersion.charAt(0);
1635         }
1636 
1637         switch (c) {
1638             case 'T':
1639                 return "TLS";
1640             case 'S':
1641                 return "SSL";
1642             default:
1643                 return "UNKNOWN";
1644         }
1645     }
1646 
1647     @Override
1648     public final void setUseClientMode(boolean clientMode) {
1649         if (clientMode != this.clientMode) {
1650             throw new UnsupportedOperationException();
1651         }
1652     }
1653 
1654     @Override
1655     public final boolean getUseClientMode() {
1656         return clientMode;
1657     }
1658 
1659     @Override
1660     public final void setNeedClientAuth(boolean b) {
1661         setClientAuth(b ? ClientAuth.REQUIRE : ClientAuth.NONE);
1662     }
1663 
1664     @Override
1665     public final boolean getNeedClientAuth() {
1666         return clientAuth == ClientAuth.REQUIRE;
1667     }
1668 
1669     @Override
1670     public final void setWantClientAuth(boolean b) {
1671         setClientAuth(b ? ClientAuth.OPTIONAL : ClientAuth.NONE);
1672     }
1673 
1674     @Override
1675     public final boolean getWantClientAuth() {
1676         return clientAuth == ClientAuth.OPTIONAL;
1677     }
1678 
1679     /**
1680      * See <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_set_verify.html">SSL_set_verify</a> and
1681      * {@link SSL#setVerify(long, int, int)}.
1682      */
1683     @UnstableApi
1684     public final synchronized void setVerify(int verifyMode, int depth) {
1685         SSL.setVerify(ssl, verifyMode, depth);
1686     }
1687 
1688     private void setClientAuth(ClientAuth mode) {
1689         if (clientMode) {
1690             return;
1691         }
1692         synchronized (this) {
1693             if (clientAuth == mode) {
1694                 // No need to issue any JNI calls if the mode is the same
1695                 return;
1696             }
1697             switch (mode) {
1698                 case NONE:
1699                     SSL.setVerify(ssl, SSL.SSL_CVERIFY_NONE, ReferenceCountedOpenSslContext.VERIFY_DEPTH);
1700                     break;
1701                 case REQUIRE:
1702                     SSL.setVerify(ssl, SSL.SSL_CVERIFY_REQUIRED, ReferenceCountedOpenSslContext.VERIFY_DEPTH);
1703                     break;
1704                 case OPTIONAL:
1705                     SSL.setVerify(ssl, SSL.SSL_CVERIFY_OPTIONAL, ReferenceCountedOpenSslContext.VERIFY_DEPTH);
1706                     break;
1707                 default:
1708                     throw new Error(mode.toString());
1709             }
1710             clientAuth = mode;
1711         }
1712     }
1713 
1714     @Override
1715     public final void setEnableSessionCreation(boolean b) {
1716         if (b) {
1717             throw new UnsupportedOperationException();
1718         }
1719     }
1720 
1721     @Override
1722     public final boolean getEnableSessionCreation() {
1723         return false;
1724     }
1725 
1726     @Override
1727     public final synchronized SSLParameters getSSLParameters() {
1728         SSLParameters sslParameters = super.getSSLParameters();
1729 
1730         int version = PlatformDependent.javaVersion();
1731         if (version >= 7) {
1732             sslParameters.setEndpointIdentificationAlgorithm(endPointIdentificationAlgorithm);
1733             Java7SslParametersUtils.setAlgorithmConstraints(sslParameters, algorithmConstraints);
1734             if (version >= 8) {
1735                 if (sniHostNames != null) {
1736                     Java8SslUtils.setSniHostNames(sslParameters, sniHostNames);
1737                 }
1738                 if (!isDestroyed()) {
1739                     Java8SslUtils.setUseCipherSuitesOrder(
1740                             sslParameters, (SSL.getOptions(ssl) & SSL.SSL_OP_CIPHER_SERVER_PREFERENCE) != 0);
1741                 }
1742 
1743                 Java8SslUtils.setSNIMatchers(sslParameters, matchers);
1744             }
1745         }
1746         return sslParameters;
1747     }
1748 
1749     @Override
1750     public final synchronized void setSSLParameters(SSLParameters sslParameters) {
1751         int version = PlatformDependent.javaVersion();
1752         if (version >= 7) {
1753             if (sslParameters.getAlgorithmConstraints() != null) {
1754                 throw new IllegalArgumentException("AlgorithmConstraints are not supported.");
1755             }
1756 
1757             if (version >= 8) {
1758                 if (!isDestroyed()) {
1759                     if (clientMode) {
1760                         final List<String> sniHostNames = Java8SslUtils.getSniHostNames(sslParameters);
1761                         for (String name: sniHostNames) {
1762                             SSL.setTlsExtHostName(ssl, name);
1763                         }
1764                         this.sniHostNames = sniHostNames;
1765                     }
1766                     if (Java8SslUtils.getUseCipherSuitesOrder(sslParameters)) {
1767                         SSL.setOptions(ssl, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
1768                     } else {
1769                         SSL.clearOptions(ssl, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
1770                     }
1771                 }
1772                 matchers = sslParameters.getSNIMatchers();
1773             }
1774 
1775             final String endPointIdentificationAlgorithm = sslParameters.getEndpointIdentificationAlgorithm();
1776             final boolean endPointVerificationEnabled = endPointIdentificationAlgorithm != null &&
1777                     !endPointIdentificationAlgorithm.isEmpty();
1778             SSL.setHostNameValidation(ssl, DEFAULT_HOSTNAME_VALIDATION_FLAGS,
1779                     endPointVerificationEnabled ? getPeerHost() : null);
1780             // If the user asks for hostname verification we must ensure we verify the peer.
1781             // If the user disables hostname verification we leave it up to the user to change the mode manually.
1782             if (clientMode && endPointVerificationEnabled) {
1783                 SSL.setVerify(ssl, SSL.SSL_CVERIFY_REQUIRED, -1);
1784             }
1785 
1786             this.endPointIdentificationAlgorithm = endPointIdentificationAlgorithm;
1787             algorithmConstraints = sslParameters.getAlgorithmConstraints();
1788         }
1789         super.setSSLParameters(sslParameters);
1790     }
1791 
1792     private boolean isDestroyed() {
1793         return destroyed != 0;
1794     }
1795 
1796     final boolean checkSniHostnameMatch(String hostname) {
1797         return Java8SslUtils.checkSniHostnameMatch(matchers, hostname);
1798     }
1799 
1800     @Override
1801     public String getNegotiatedApplicationProtocol() {
1802         return applicationProtocol;
1803     }
1804 
1805     private static long bufferAddress(ByteBuffer b) {
1806         assert b.isDirect();
1807         if (PlatformDependent.hasUnsafe()) {
1808             return PlatformDependent.directBufferAddress(b);
1809         }
1810         return Buffer.address(b);
1811     }
1812 
1813     private final class OpenSslSession implements SSLSession {
1814         private final OpenSslSessionContext sessionContext;
1815 
1816         // These are guarded by synchronized(OpenSslEngine.this) as handshakeFinished() may be triggered by any
1817         // thread.
1818         private X509Certificate[] x509PeerCerts;
1819         private Certificate[] peerCerts;
1820         private String protocol;
1821         private String cipher;
1822         private byte[] id;
1823         private long creationTime;
1824         private volatile int applicationBufferSize = MAX_PLAINTEXT_LENGTH;
1825 
1826         // lazy init for memory reasons
1827         private Map<String, Object> values;
1828 
1829         OpenSslSession(OpenSslSessionContext sessionContext) {
1830             this.sessionContext = sessionContext;
1831         }
1832 
1833         @Override
1834         public byte[] getId() {
1835             synchronized (ReferenceCountedOpenSslEngine.this) {
1836                 if (id == null) {
1837                     return EmptyArrays.EMPTY_BYTES;
1838                 }
1839                 return id.clone();
1840             }
1841         }
1842 
1843         @Override
1844         public SSLSessionContext getSessionContext() {
1845             return sessionContext;
1846         }
1847 
1848         @Override
1849         public long getCreationTime() {
1850             synchronized (ReferenceCountedOpenSslEngine.this) {
1851                 if (creationTime == 0 && !isDestroyed()) {
1852                     creationTime = SSL.getTime(ssl) * 1000L;
1853                 }
1854             }
1855             return creationTime;
1856         }
1857 
1858         @Override
1859         public long getLastAccessedTime() {
1860             long lastAccessed = ReferenceCountedOpenSslEngine.this.lastAccessed;
1861             // if lastAccessed is -1 we will just return the creation time as the handshake was not started yet.
1862             return lastAccessed == -1 ? getCreationTime() : lastAccessed;
1863         }
1864 
1865         @Override
1866         public void invalidate() {
1867             synchronized (ReferenceCountedOpenSslEngine.this) {
1868                 if (!isDestroyed()) {
1869                     SSL.setTimeout(ssl, 0);
1870                 }
1871             }
1872         }
1873 
1874         @Override
1875         public boolean isValid() {
1876             synchronized (ReferenceCountedOpenSslEngine.this) {
1877                 if (!isDestroyed()) {
1878                     return System.currentTimeMillis() - (SSL.getTimeout(ssl) * 1000L) < (SSL.getTime(ssl) * 1000L);
1879                 }
1880             }
1881             return false;
1882         }
1883 
1884         @Override
1885         public void putValue(String name, Object value) {
1886             if (name == null) {
1887                 throw new NullPointerException("name");
1888             }
1889             if (value == null) {
1890                 throw new NullPointerException("value");
1891             }
1892             Map<String, Object> values = this.values;
1893             if (values == null) {
1894                 // Use size of 2 to keep the memory overhead small
1895                 values = this.values = new HashMap<String, Object>(2);
1896             }
1897             Object old = values.put(name, value);
1898             if (value instanceof SSLSessionBindingListener) {
1899                 ((SSLSessionBindingListener) value).valueBound(new SSLSessionBindingEvent(this, name));
1900             }
1901             notifyUnbound(old, name);
1902         }
1903 
1904         @Override
1905         public Object getValue(String name) {
1906             if (name == null) {
1907                 throw new NullPointerException("name");
1908             }
1909             if (values == null) {
1910                 return null;
1911             }
1912             return values.get(name);
1913         }
1914 
1915         @Override
1916         public void removeValue(String name) {
1917             if (name == null) {
1918                 throw new NullPointerException("name");
1919             }
1920             Map<String, Object> values = this.values;
1921             if (values == null) {
1922                 return;
1923             }
1924             Object old = values.remove(name);
1925             notifyUnbound(old, name);
1926         }
1927 
1928         @Override
1929         public String[] getValueNames() {
1930             Map<String, Object> values = this.values;
1931             if (values == null || values.isEmpty()) {
1932                 return EmptyArrays.EMPTY_STRINGS;
1933             }
1934             return values.keySet().toArray(new String[values.size()]);
1935         }
1936 
1937         private void notifyUnbound(Object value, String name) {
1938             if (value instanceof SSLSessionBindingListener) {
1939                 ((SSLSessionBindingListener) value).valueUnbound(new SSLSessionBindingEvent(this, name));
1940             }
1941         }
1942 
1943         /**
1944          * Finish the handshake and so init everything in the {@link OpenSslSession} that should be accessible by
1945          * the user.
1946          */
1947         void handshakeFinished() throws SSLException {
1948             synchronized (ReferenceCountedOpenSslEngine.this) {
1949                 if (!isDestroyed()) {
1950                     id = SSL.getSessionId(ssl);
1951                     cipher = toJavaCipherSuite(SSL.getCipherForSSL(ssl));
1952                     protocol = SSL.getVersion(ssl);
1953 
1954                     initPeerCerts();
1955                     selectApplicationProtocol();
1956                     calculateMaxWrapOverhead();
1957 
1958                     handshakeState = HandshakeState.FINISHED;
1959                 } else {
1960                     throw new SSLException("Already closed");
1961                 }
1962             }
1963         }
1964 
1965         /**
1966          * Init peer certificates that can be obtained via {@link #getPeerCertificateChain()}
1967          * and {@link #getPeerCertificates()}.
1968          */
1969         private void initPeerCerts() {
1970             // Return the full chain from the JNI layer.
1971             byte[][] chain = SSL.getPeerCertChain(ssl);
1972             if (clientMode) {
1973                 if (isEmpty(chain)) {
1974                     peerCerts = EMPTY_CERTIFICATES;
1975                     x509PeerCerts = EMPTY_JAVAX_X509_CERTIFICATES;
1976                 } else {
1977                     peerCerts = new Certificate[chain.length];
1978                     x509PeerCerts = new X509Certificate[chain.length];
1979                     initCerts(chain, 0);
1980                 }
1981             } else {
1982                 // if used on the server side SSL_get_peer_cert_chain(...) will not include the remote peer
1983                 // certificate. We use SSL_get_peer_certificate to get it in this case and add it to our
1984                 // array later.
1985                 //
1986                 // See https://www.openssl.org/docs/ssl/SSL_get_peer_cert_chain.html
1987                 byte[] clientCert = SSL.getPeerCertificate(ssl);
1988                 if (isEmpty(clientCert)) {
1989                     peerCerts = EMPTY_CERTIFICATES;
1990                     x509PeerCerts = EMPTY_JAVAX_X509_CERTIFICATES;
1991                 } else {
1992                     if (isEmpty(chain)) {
1993                         peerCerts = new Certificate[] {new OpenSslX509Certificate(clientCert)};
1994                         x509PeerCerts = new X509Certificate[] {new OpenSslJavaxX509Certificate(clientCert)};
1995                     } else {
1996                         peerCerts = new Certificate[chain.length + 1];
1997                         x509PeerCerts = new X509Certificate[chain.length + 1];
1998                         peerCerts[0] = new OpenSslX509Certificate(clientCert);
1999                         x509PeerCerts[0] = new OpenSslJavaxX509Certificate(clientCert);
2000                         initCerts(chain, 1);
2001                     }
2002                 }
2003             }
2004         }
2005 
2006         private void initCerts(byte[][] chain, int startPos) {
2007             for (int i = 0; i < chain.length; i++) {
2008                 int certPos = startPos + i;
2009                 peerCerts[certPos] = new OpenSslX509Certificate(chain[i]);
2010                 x509PeerCerts[certPos] = new OpenSslJavaxX509Certificate(chain[i]);
2011             }
2012         }
2013 
2014         /**
2015          * Select the application protocol used.
2016          */
2017         private void selectApplicationProtocol() throws SSLException {
2018             ApplicationProtocolConfig.SelectedListenerFailureBehavior behavior = apn.selectedListenerFailureBehavior();
2019             List<String> protocols = apn.protocols();
2020             String applicationProtocol;
2021             switch (apn.protocol()) {
2022                 case NONE:
2023                     break;
2024                 // We always need to check for applicationProtocol == null as the remote peer may not support
2025                 // the TLS extension or may have returned an empty selection.
2026                 case ALPN:
2027                     applicationProtocol = SSL.getAlpnSelected(ssl);
2028                     if (applicationProtocol != null) {
2029                         ReferenceCountedOpenSslEngine.this.applicationProtocol = selectApplicationProtocol(
2030                                 protocols, behavior, applicationProtocol);
2031                     }
2032                     break;
2033                 case NPN:
2034                     applicationProtocol = SSL.getNextProtoNegotiated(ssl);
2035                     if (applicationProtocol != null) {
2036                         ReferenceCountedOpenSslEngine.this.applicationProtocol = selectApplicationProtocol(
2037                                 protocols, behavior, applicationProtocol);
2038                     }
2039                     break;
2040                 case NPN_AND_ALPN:
2041                     applicationProtocol = SSL.getAlpnSelected(ssl);
2042                     if (applicationProtocol == null) {
2043                         applicationProtocol = SSL.getNextProtoNegotiated(ssl);
2044                     }
2045                     if (applicationProtocol != null) {
2046                         ReferenceCountedOpenSslEngine.this.applicationProtocol = selectApplicationProtocol(
2047                                 protocols, behavior, applicationProtocol);
2048                     }
2049                     break;
2050                 default:
2051                     throw new Error();
2052             }
2053         }
2054 
2055         private String selectApplicationProtocol(List<String> protocols,
2056                                                  ApplicationProtocolConfig.SelectedListenerFailureBehavior behavior,
2057                                                  String applicationProtocol) throws SSLException {
2058             if (behavior == ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT) {
2059                 return applicationProtocol;
2060             } else {
2061                 int size = protocols.size();
2062                 assert size > 0;
2063                 if (protocols.contains(applicationProtocol)) {
2064                     return applicationProtocol;
2065                 } else {
2066                     if (behavior == ApplicationProtocolConfig.SelectedListenerFailureBehavior.CHOOSE_MY_LAST_PROTOCOL) {
2067                         return protocols.get(size - 1);
2068                     } else {
2069                         throw new SSLException("unknown protocol " + applicationProtocol);
2070                     }
2071                 }
2072             }
2073         }
2074 
2075         @Override
2076         public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException {
2077             synchronized (ReferenceCountedOpenSslEngine.this) {
2078                 if (isEmpty(peerCerts)) {
2079                     throw new SSLPeerUnverifiedException("peer not verified");
2080                 }
2081                 return peerCerts.clone();
2082             }
2083         }
2084 
2085         @Override
2086         public Certificate[] getLocalCertificates() {
2087             if (localCerts == null) {
2088                 return null;
2089             }
2090             return localCerts.clone();
2091         }
2092 
2093         @Override
2094         public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException {
2095             synchronized (ReferenceCountedOpenSslEngine.this) {
2096                 if (isEmpty(x509PeerCerts)) {
2097                     throw new SSLPeerUnverifiedException("peer not verified");
2098                 }
2099                 return x509PeerCerts.clone();
2100             }
2101         }
2102 
2103         @Override
2104         public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
2105             Certificate[] peer = getPeerCertificates();
2106             // No need for null or length > 0 is needed as this is done in getPeerCertificates()
2107             // already.
2108             return ((java.security.cert.X509Certificate) peer[0]).getSubjectX500Principal();
2109         }
2110 
2111         @Override
2112         public Principal getLocalPrincipal() {
2113             Certificate[] local = localCerts;
2114             if (local == null || local.length == 0) {
2115                 return null;
2116             }
2117             return ((java.security.cert.X509Certificate) local[0]).getIssuerX500Principal();
2118         }
2119 
2120         @Override
2121         public String getCipherSuite() {
2122             synchronized (ReferenceCountedOpenSslEngine.this) {
2123                 if (cipher == null) {
2124                     return INVALID_CIPHER;
2125                 }
2126                 return cipher;
2127             }
2128         }
2129 
2130         @Override
2131         public String getProtocol() {
2132             String protocol = this.protocol;
2133             if (protocol == null) {
2134                 synchronized (ReferenceCountedOpenSslEngine.this) {
2135                     if (!isDestroyed()) {
2136                         protocol = SSL.getVersion(ssl);
2137                     } else {
2138                         protocol = StringUtil.EMPTY_STRING;
2139                     }
2140                 }
2141             }
2142             return protocol;
2143         }
2144 
2145         @Override
2146         public String getPeerHost() {
2147             return ReferenceCountedOpenSslEngine.this.getPeerHost();
2148         }
2149 
2150         @Override
2151         public int getPeerPort() {
2152             return ReferenceCountedOpenSslEngine.this.getPeerPort();
2153         }
2154 
2155         @Override
2156         public int getPacketBufferSize() {
2157             return maxEncryptedPacketLength();
2158         }
2159 
2160         @Override
2161         public int getApplicationBufferSize() {
2162             return applicationBufferSize;
2163         }
2164 
2165         /**
2166          * Expand (or increase) the value returned by {@link #getApplicationBufferSize()} if necessary.
2167          * <p>
2168          * This is only called in a synchronized block, so no need to use atomic operations.
2169          * @param packetLengthDataOnly The packet size which exceeds the current {@link #getApplicationBufferSize()}.
2170          */
2171         void tryExpandApplicationBufferSize(int packetLengthDataOnly) {
2172             if (packetLengthDataOnly > MAX_PLAINTEXT_LENGTH && applicationBufferSize != MAX_RECORD_SIZE) {
2173                 applicationBufferSize = MAX_RECORD_SIZE;
2174             }
2175         }
2176     }
2177 }