View Javadoc
1   /*
2    * Copyright 2016 The Netty Project
3    *
4    * The Netty Project licenses this file to you under the Apache License,
5    * version 2.0 (the "License"); you may not use this file except in compliance
6    * with the License. You may obtain a copy of the License at:
7    *
8    *   https://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12   * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13   * License for the specific language governing permissions and limitations
14   * under the License.
15   */
16  package io.netty.handler.ssl;
17  
18  import io.netty.buffer.ByteBuf;
19  import io.netty.buffer.ByteBufAllocator;
20  import io.netty.handler.ssl.util.LazyX509Certificate;
21  import io.netty.internal.tcnative.AsyncSSLPrivateKeyMethod;
22  import io.netty.internal.tcnative.CertificateCompressionAlgo;
23  import io.netty.internal.tcnative.CertificateVerifier;
24  import io.netty.internal.tcnative.ResultCallback;
25  import io.netty.internal.tcnative.SSL;
26  import io.netty.internal.tcnative.SSLContext;
27  import io.netty.internal.tcnative.SSLPrivateKeyMethod;
28  import io.netty.util.AbstractReferenceCounted;
29  import io.netty.util.ReferenceCounted;
30  import io.netty.util.ResourceLeakDetector;
31  import io.netty.util.ResourceLeakDetectorFactory;
32  import io.netty.util.ResourceLeakTracker;
33  import io.netty.util.concurrent.Future;
34  import io.netty.util.concurrent.FutureListener;
35  import io.netty.util.concurrent.ImmediateExecutor;
36  import io.netty.util.internal.EmptyArrays;
37  import io.netty.util.internal.StringUtil;
38  import io.netty.util.internal.SystemPropertyUtil;
39  import io.netty.util.internal.UnstableApi;
40  import io.netty.util.internal.logging.InternalLogger;
41  import io.netty.util.internal.logging.InternalLoggerFactory;
42  
43  import java.security.PrivateKey;
44  import java.security.SignatureException;
45  import java.security.cert.CertPathValidatorException;
46  import java.security.cert.Certificate;
47  import java.security.cert.CertificateExpiredException;
48  import java.security.cert.CertificateNotYetValidException;
49  import java.security.cert.CertificateRevokedException;
50  import java.security.cert.X509Certificate;
51  import java.util.ArrayList;
52  import java.util.Arrays;
53  import java.util.Collections;
54  import java.util.LinkedHashSet;
55  import java.util.List;
56  import java.util.Map;
57  import java.util.Set;
58  import java.util.concurrent.ConcurrentHashMap;
59  import java.util.concurrent.Executor;
60  import java.util.concurrent.locks.Lock;
61  import java.util.concurrent.locks.ReadWriteLock;
62  import java.util.concurrent.locks.ReentrantReadWriteLock;
63  import javax.net.ssl.KeyManager;
64  import javax.net.ssl.KeyManagerFactory;
65  import javax.net.ssl.SNIServerName;
66  import javax.net.ssl.SSLEngine;
67  import javax.net.ssl.SSLException;
68  import javax.net.ssl.SSLHandshakeException;
69  import javax.net.ssl.TrustManager;
70  import javax.net.ssl.X509ExtendedTrustManager;
71  import javax.net.ssl.X509KeyManager;
72  import javax.net.ssl.X509TrustManager;
73  
74  import static io.netty.handler.ssl.OpenSsl.DEFAULT_CIPHERS;
75  import static io.netty.handler.ssl.OpenSsl.availableJavaCipherSuites;
76  import static io.netty.util.internal.ObjectUtil.checkNonEmpty;
77  import static io.netty.util.internal.ObjectUtil.checkNotNull;
78  import static io.netty.util.internal.ObjectUtil.checkPositiveOrZero;
79  
80  /**
81   * An implementation of {@link SslContext} which works with libraries that support the
82   * <a href="https://www.openssl.org/">OpenSsl</a> C library API.
83   * <p>Instances of this class must be {@link #release() released} or else native memory will leak!
84   *
85   * <p>Instances of this class <strong>must not</strong> be released before any {@link ReferenceCountedOpenSslEngine}
86   * which depends upon the instance of this class is released. Otherwise if any method of
87   * {@link ReferenceCountedOpenSslEngine} is called which uses this class's JNI resources the JVM may crash.
88   */
89  public abstract class ReferenceCountedOpenSslContext extends SslContext implements ReferenceCounted {
90      private static final InternalLogger logger =
91              InternalLoggerFactory.getInstance(ReferenceCountedOpenSslContext.class);
92  
93      private static final int DEFAULT_BIO_NON_APPLICATION_BUFFER_SIZE = Math.max(1,
94              SystemPropertyUtil.getInt("io.netty.handler.ssl.openssl.bioNonApplicationBufferSize",
95                      2048));
96      // Let's use tasks by default but still allow the user to disable it via system property just in case.
97      static final boolean USE_TASKS =
98              SystemPropertyUtil.getBoolean("io.netty.handler.ssl.openssl.useTasks", true);
99      private static final Integer DH_KEY_LENGTH;
100     private static final ResourceLeakDetector<ReferenceCountedOpenSslContext> leakDetector =
101             ResourceLeakDetectorFactory.instance().newResourceLeakDetector(ReferenceCountedOpenSslContext.class);
102 
103     // TODO: Maybe make configurable ?
104     protected static final int VERIFY_DEPTH = 10;
105 
106     static final boolean CLIENT_ENABLE_SESSION_TICKET =
107             SystemPropertyUtil.getBoolean("jdk.tls.client.enableSessionTicketExtension", false);
108 
109     static final boolean CLIENT_ENABLE_SESSION_TICKET_TLSV13 =
110             SystemPropertyUtil.getBoolean("jdk.tls.client.enableSessionTicketExtension", true);
111 
112     static final boolean SERVER_ENABLE_SESSION_TICKET =
113             SystemPropertyUtil.getBoolean("jdk.tls.server.enableSessionTicketExtension", false);
114 
115      static final boolean SERVER_ENABLE_SESSION_TICKET_TLSV13 =
116             SystemPropertyUtil.getBoolean("jdk.tls.server.enableSessionTicketExtension", true);
117 
118     static final boolean SERVER_ENABLE_SESSION_CACHE =
119             SystemPropertyUtil.getBoolean("io.netty.handler.ssl.openssl.sessionCacheServer", true);
120     static final boolean CLIENT_ENABLE_SESSION_CACHE =
121             SystemPropertyUtil.getBoolean("io.netty.handler.ssl.openssl.sessionCacheClient", true);
122 
123     /**
124      * The OpenSSL SSL_CTX object.
125      *
126      * <strong>{@link #ctxLock} must be hold while using ctx!</strong>
127      */
128     protected long ctx;
129     private final List<String> unmodifiableCiphers;
130     private final OpenSslApplicationProtocolNegotiator apn;
131     private final int mode;
132 
133     // Reference Counting
134     private final ResourceLeakTracker<ReferenceCountedOpenSslContext> leak;
135     private final AbstractReferenceCounted refCnt = new AbstractReferenceCounted() {
136         @Override
137         public ReferenceCounted touch(Object hint) {
138             if (leak != null) {
139                 leak.record(hint);
140             }
141 
142             return ReferenceCountedOpenSslContext.this;
143         }
144 
145         @Override
146         protected void deallocate() {
147             destroy();
148             if (leak != null) {
149                 boolean closed = leak.close(ReferenceCountedOpenSslContext.this);
150                 assert closed;
151             }
152         }
153     };
154 
155     final Certificate[] keyCertChain;
156     final ClientAuth clientAuth;
157     final String[] protocols;
158     final String endpointIdentificationAlgorithm;
159     final List<SNIServerName> serverNames;
160     final boolean hasTLSv13Cipher;
161     final boolean hasTmpDhKeys;
162 
163     final boolean enableOcsp;
164     final OpenSslEngineMap engineMap = new DefaultOpenSslEngineMap();
165     final ReadWriteLock ctxLock = new ReentrantReadWriteLock();
166 
167     private volatile int bioNonApplicationBufferSize = DEFAULT_BIO_NON_APPLICATION_BUFFER_SIZE;
168 
169     @SuppressWarnings("deprecation")
170     static final OpenSslApplicationProtocolNegotiator NONE_PROTOCOL_NEGOTIATOR =
171             new OpenSslApplicationProtocolNegotiator() {
172                 @Override
173                 public ApplicationProtocolConfig.Protocol protocol() {
174                     return ApplicationProtocolConfig.Protocol.NONE;
175                 }
176 
177                 @Override
178                 public List<String> protocols() {
179                     return Collections.emptyList();
180                 }
181 
182                 @Override
183                 public ApplicationProtocolConfig.SelectorFailureBehavior selectorFailureBehavior() {
184                     return ApplicationProtocolConfig.SelectorFailureBehavior.CHOOSE_MY_LAST_PROTOCOL;
185                 }
186 
187                 @Override
188                 public ApplicationProtocolConfig.SelectedListenerFailureBehavior selectedListenerFailureBehavior() {
189                     return ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT;
190                 }
191             };
192 
193     static {
194         Integer dhLen = null;
195 
196         try {
197             String dhKeySize = SystemPropertyUtil.get("jdk.tls.ephemeralDHKeySize");
198             if (dhKeySize != null) {
199                 try {
200                     dhLen = Integer.valueOf(dhKeySize);
201                 } catch (NumberFormatException e) {
202                     logger.debug("ReferenceCountedOpenSslContext supports -Djdk.tls.ephemeralDHKeySize={int}, but got: "
203                             + dhKeySize);
204                 }
205             }
206         } catch (Throwable ignore) {
207             // ignore
208         }
209         DH_KEY_LENGTH = dhLen;
210     }
211 
212     final boolean tlsFalseStart;
213 
214     ReferenceCountedOpenSslContext(Iterable<String> ciphers, CipherSuiteFilter cipherFilter,
215                                    OpenSslApplicationProtocolNegotiator apn, int mode, Certificate[] keyCertChain,
216                                    ClientAuth clientAuth, String[] protocols, boolean startTls,
217                                    String endpointIdentificationAlgorithm, boolean enableOcsp,
218                                    boolean leakDetection, List<SNIServerName> serverNames,
219                                    ResumptionController resumptionController,
220                                    Map.Entry<SslContextOption<?>, Object>... ctxOptions)
221             throws SSLException {
222         super(startTls, resumptionController);
223 
224         OpenSsl.ensureAvailability();
225 
226         if (enableOcsp && !OpenSsl.isOcspSupported()) {
227             throw new IllegalStateException("OCSP is not supported.");
228         }
229 
230         if (mode != SSL.SSL_MODE_SERVER && mode != SSL.SSL_MODE_CLIENT) {
231             throw new IllegalArgumentException("mode most be either SSL.SSL_MODE_SERVER or SSL.SSL_MODE_CLIENT");
232         }
233 
234         boolean tlsFalseStart = false;
235         boolean useTasks = USE_TASKS;
236         OpenSslPrivateKeyMethod privateKeyMethod = null;
237         OpenSslAsyncPrivateKeyMethod asyncPrivateKeyMethod = null;
238         OpenSslCertificateCompressionConfig certCompressionConfig = null;
239         Integer maxCertificateList = null;
240         Integer tmpDhKeyLength = null;
241         String[] groups = OpenSsl.NAMED_GROUPS;
242         if (ctxOptions != null) {
243             for (Map.Entry<SslContextOption<?>, Object> ctxOpt : ctxOptions) {
244                 SslContextOption<?> option = ctxOpt.getKey();
245 
246                 if (option == OpenSslContextOption.TLS_FALSE_START) {
247                     tlsFalseStart = (Boolean) ctxOpt.getValue();
248                 } else if (option == OpenSslContextOption.USE_TASKS) {
249                     useTasks = (Boolean) ctxOpt.getValue();
250                 } else if (option == OpenSslContextOption.PRIVATE_KEY_METHOD) {
251                     privateKeyMethod = (OpenSslPrivateKeyMethod) ctxOpt.getValue();
252                 } else if (option == OpenSslContextOption.ASYNC_PRIVATE_KEY_METHOD) {
253                     asyncPrivateKeyMethod = (OpenSslAsyncPrivateKeyMethod) ctxOpt.getValue();
254                 } else if (option == OpenSslContextOption.CERTIFICATE_COMPRESSION_ALGORITHMS) {
255                     certCompressionConfig = (OpenSslCertificateCompressionConfig) ctxOpt.getValue();
256                 } else if (option == OpenSslContextOption.MAX_CERTIFICATE_LIST_BYTES) {
257                     maxCertificateList = (Integer) ctxOpt.getValue();
258                 } else if (option == OpenSslContextOption.TMP_DH_KEYLENGTH) {
259                     tmpDhKeyLength = (Integer) ctxOpt.getValue();
260                 } else if (option == OpenSslContextOption.GROUPS) {
261                     String[] groupsArray = (String[]) ctxOpt.getValue();
262                     Set<String> groupsSet = new LinkedHashSet<String>(groupsArray.length);
263                     for (String group : groupsArray) {
264                         groupsSet.add(GroupsConverter.toOpenSsl(group));
265                     }
266                     groups = groupsSet.toArray(EmptyArrays.EMPTY_STRINGS);
267                 } else {
268                     logger.debug("Skipping unsupported " + SslContextOption.class.getSimpleName()
269                             + ": " + ctxOpt.getKey());
270                 }
271             }
272         }
273         if (privateKeyMethod != null && asyncPrivateKeyMethod != null) {
274             throw new IllegalArgumentException("You can either only use "
275                     + OpenSslAsyncPrivateKeyMethod.class.getSimpleName() + " or "
276                     + OpenSslPrivateKeyMethod.class.getSimpleName());
277         }
278 
279         this.tlsFalseStart = tlsFalseStart;
280 
281         leak = leakDetection ? leakDetector.track(this) : null;
282         this.mode = mode;
283         this.clientAuth = isServer() ? checkNotNull(clientAuth, "clientAuth") : ClientAuth.NONE;
284         this.protocols = protocols == null ? OpenSsl.defaultProtocols(mode == SSL.SSL_MODE_CLIENT) : protocols;
285         this.endpointIdentificationAlgorithm = endpointIdentificationAlgorithm;
286         this.serverNames = serverNames;
287         this.enableOcsp = enableOcsp;
288 
289         this.keyCertChain = keyCertChain == null ? null : keyCertChain.clone();
290 
291         String[] suites = checkNotNull(cipherFilter, "cipherFilter").filterCipherSuites(
292                 ciphers, DEFAULT_CIPHERS, availableJavaCipherSuites());
293         // Filter out duplicates.
294         LinkedHashSet<String> suitesSet = new LinkedHashSet<String>(suites.length);
295         Collections.addAll(suitesSet, suites);
296         unmodifiableCiphers = new ArrayList<String>(suitesSet);
297 
298         this.apn = checkNotNull(apn, "apn");
299 
300         // Create a new SSL_CTX and configure it.
301         boolean success = false;
302         try {
303             boolean tlsv13Supported = OpenSsl.isTlsv13Supported();
304             boolean anyTlsv13Ciphers = false;
305             try {
306                 int protocolOpts = SSL.SSL_PROTOCOL_SSLV3 | SSL.SSL_PROTOCOL_TLSV1 |
307                         SSL.SSL_PROTOCOL_TLSV1_1 | SSL.SSL_PROTOCOL_TLSV1_2;
308                 if (tlsv13Supported) {
309                     protocolOpts |= SSL.SSL_PROTOCOL_TLSV1_3;
310                 }
311                 ctx = SSLContext.make(protocolOpts, mode);
312             } catch (Exception e) {
313                 throw new SSLException("failed to create an SSL_CTX", e);
314             }
315 
316             StringBuilder cipherBuilder = new StringBuilder();
317             StringBuilder cipherTLSv13Builder = new StringBuilder();
318 
319             /* List the ciphers that are permitted to negotiate. */
320             try {
321                 if (unmodifiableCiphers.isEmpty()) {
322                     // Set non TLSv1.3 ciphers.
323                     SSLContext.setCipherSuite(ctx, StringUtil.EMPTY_STRING, false);
324                     if (tlsv13Supported) {
325                         // Set TLSv1.3 ciphers.
326                         SSLContext.setCipherSuite(ctx, StringUtil.EMPTY_STRING, true);
327                     }
328                 } else {
329                     CipherSuiteConverter.convertToCipherStrings(
330                             unmodifiableCiphers, cipherBuilder, cipherTLSv13Builder, OpenSsl.isBoringSSL());
331 
332                     // Set non TLSv1.3 ciphers.
333                     SSLContext.setCipherSuite(ctx, cipherBuilder.toString(), false);
334                     if (tlsv13Supported) {
335                         // Set TLSv1.3 ciphers.
336                         String tlsv13Ciphers = OpenSsl.checkTls13Ciphers(logger, cipherTLSv13Builder.toString());
337                         SSLContext.setCipherSuite(ctx, tlsv13Ciphers, true);
338                         if (!tlsv13Ciphers.isEmpty()) {
339                             anyTlsv13Ciphers = true;
340                         }
341                     }
342                 }
343             } catch (SSLException e) {
344                 throw e;
345             } catch (Exception e) {
346                 throw new SSLException("failed to set cipher suite: " + unmodifiableCiphers, e);
347             }
348 
349             int options = SSLContext.getOptions(ctx) |
350                     SSL.SSL_OP_NO_SSLv2 |
351                     SSL.SSL_OP_NO_SSLv3 |
352                     // Disable TLSv1 and TLSv1.1 by default as these are not considered secure anymore
353                     // and the JDK is doing the same:
354                     // https://www.oracle.com/java/technologies/javase/8u291-relnotes.html
355                     SSL.SSL_OP_NO_TLSv1 |
356                     SSL.SSL_OP_NO_TLSv1_1 |
357 
358                     SSL.SSL_OP_CIPHER_SERVER_PREFERENCE |
359 
360                     // We do not support compression at the moment so we should explicitly disable it.
361                     SSL.SSL_OP_NO_COMPRESSION |
362 
363                     // Disable ticket support by default to be more inline with SSLEngineImpl of the JDK.
364                     // This also let SSLSession.getId() work the same way for the JDK implementation and the
365                     // OpenSSLEngine. If tickets are supported SSLSession.getId() will only return an ID on the
366                     // server-side if it could make use of tickets.
367                     SSL.SSL_OP_NO_TICKET;
368 
369             if (cipherBuilder.length() == 0) {
370                 // No ciphers that are compatible with SSLv2 / SSLv3 / TLSv1 / TLSv1.1 / TLSv1.2
371                 options |= SSL.SSL_OP_NO_SSLv2 | SSL.SSL_OP_NO_SSLv3 | SSL.SSL_OP_NO_TLSv1
372                         | SSL.SSL_OP_NO_TLSv1_1 | SSL.SSL_OP_NO_TLSv1_2;
373             }
374 
375             if (!tlsv13Supported) {
376                 // Explicit disable TLSv1.3
377                 // See:
378                 //  - https://github.com/netty/netty/issues/12968
379                 options |= SSL.SSL_OP_NO_TLSv1_3;
380             }
381 
382             hasTLSv13Cipher = anyTlsv13Ciphers;
383             SSLContext.setOptions(ctx, options);
384 
385             // We need to enable SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER as the memory address may change between
386             // calling OpenSSLEngine.wrap(...).
387             // See https://github.com/netty/netty-tcnative/issues/100
388             SSLContext.setMode(ctx, SSLContext.getMode(ctx) | SSL.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
389 
390             if (tmpDhKeyLength != null) {
391                 SSLContext.setTmpDHLength(ctx, tmpDhKeyLength);
392                 hasTmpDhKeys = true;
393             } else if (DH_KEY_LENGTH != null) {
394                 SSLContext.setTmpDHLength(ctx, DH_KEY_LENGTH);
395                 hasTmpDhKeys = true;
396             } else {
397                 hasTmpDhKeys = false;
398             }
399 
400             List<String> nextProtoList = apn.protocols();
401             /* Set next protocols for next protocol negotiation extension, if specified */
402             if (!nextProtoList.isEmpty()) {
403                 String[] appProtocols = nextProtoList.toArray(EmptyArrays.EMPTY_STRINGS);
404                 int selectorBehavior = opensslSelectorFailureBehavior(apn.selectorFailureBehavior());
405 
406                 switch (apn.protocol()) {
407                     case NPN:
408                         SSLContext.setNpnProtos(ctx, appProtocols, selectorBehavior);
409                         break;
410                     case ALPN:
411                         SSLContext.setAlpnProtos(ctx, appProtocols, selectorBehavior);
412                         break;
413                     case NPN_AND_ALPN:
414                         SSLContext.setNpnProtos(ctx, appProtocols, selectorBehavior);
415                         SSLContext.setAlpnProtos(ctx, appProtocols, selectorBehavior);
416                         break;
417                     default:
418                         throw new Error();
419                 }
420             }
421 
422             if (enableOcsp) {
423                 SSLContext.enableOcsp(ctx, isClient());
424             }
425 
426             SSLContext.setUseTasks(ctx, useTasks);
427             if (privateKeyMethod != null) {
428                 SSLContext.setPrivateKeyMethod(ctx, new PrivateKeyMethod(engineMap, privateKeyMethod));
429             }
430             if (asyncPrivateKeyMethod != null) {
431                 SSLContext.setPrivateKeyMethod(ctx, new AsyncPrivateKeyMethod(engineMap, asyncPrivateKeyMethod));
432             }
433             if (certCompressionConfig != null) {
434                 for (OpenSslCertificateCompressionConfig.AlgorithmConfig configPair : certCompressionConfig) {
435                     final CertificateCompressionAlgo algo = new CompressionAlgorithm(engineMap, configPair.algorithm());
436                     switch (configPair.mode()) {
437                         case Decompress:
438                             SSLContext.addCertificateCompressionAlgorithm(
439                                     ctx, SSL.SSL_CERT_COMPRESSION_DIRECTION_DECOMPRESS, algo);
440                             break;
441                         case Compress:
442                             SSLContext.addCertificateCompressionAlgorithm(
443                                     ctx, SSL.SSL_CERT_COMPRESSION_DIRECTION_COMPRESS, algo);
444                             break;
445                         case Both:
446                             SSLContext.addCertificateCompressionAlgorithm(
447                                     ctx, SSL.SSL_CERT_COMPRESSION_DIRECTION_BOTH, algo);
448                             break;
449                         default:
450                             throw new IllegalStateException();
451                     }
452                 }
453             }
454             if (maxCertificateList != null) {
455                 SSLContext.setMaxCertList(ctx, maxCertificateList);
456             }
457 
458             // Set the curves / groups if anything is configured.
459             if (groups.length > 0 && !SSLContext.setCurvesList(ctx, groups)) {
460                 String msg = "failed to set curves / groups suite: " + Arrays.toString(groups);
461                 int err = SSL.getLastErrorNumber();
462                 if (err != 0) {
463                     // We have some more details about why the operations failed, include these into the message.
464                     msg += ". " + SSL.getErrorString(err);
465                 }
466                 throw new SSLException(msg);
467             }
468             success = true;
469         } finally {
470             if (!success) {
471                 release();
472             }
473         }
474     }
475 
476     private static int opensslSelectorFailureBehavior(ApplicationProtocolConfig.SelectorFailureBehavior behavior) {
477         switch (behavior) {
478             case NO_ADVERTISE:
479                 return SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE;
480             case CHOOSE_MY_LAST_PROTOCOL:
481                 return SSL.SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL;
482             default:
483                 throw new Error();
484         }
485     }
486 
487     @Override
488     public final List<String> cipherSuites() {
489         return unmodifiableCiphers;
490     }
491 
492     @Override
493     public ApplicationProtocolNegotiator applicationProtocolNegotiator() {
494         return apn;
495     }
496 
497     @Override
498     public final boolean isClient() {
499         return mode == SSL.SSL_MODE_CLIENT;
500     }
501 
502     @Override
503     public final SSLEngine newEngine(ByteBufAllocator alloc, String peerHost, int peerPort) {
504         return newEngine0(alloc, peerHost, peerPort, true);
505     }
506 
507     @Override
508     protected final SslHandler newHandler(ByteBufAllocator alloc, boolean startTls) {
509         return new SslHandler(newEngine0(alloc, null, -1, false), startTls, ImmediateExecutor.INSTANCE,
510                 resumptionController);
511     }
512 
513     @Override
514     protected final SslHandler newHandler(ByteBufAllocator alloc, String peerHost, int peerPort, boolean startTls) {
515         return new SslHandler(newEngine0(alloc, peerHost, peerPort, false), startTls, ImmediateExecutor.INSTANCE,
516                 resumptionController);
517     }
518 
519     @Override
520     protected SslHandler newHandler(ByteBufAllocator alloc, boolean startTls, Executor executor) {
521         return new SslHandler(newEngine0(alloc, null, -1, false), startTls, executor, resumptionController);
522     }
523 
524     @Override
525     protected SslHandler newHandler(ByteBufAllocator alloc, String peerHost, int peerPort,
526                                     boolean startTls, Executor executor) {
527         return new SslHandler(newEngine0(alloc, peerHost, peerPort, false), false, executor, resumptionController);
528     }
529 
530     SSLEngine newEngine0(ByteBufAllocator alloc, String peerHost, int peerPort, boolean jdkCompatibilityMode) {
531         return new ReferenceCountedOpenSslEngine(this, alloc, peerHost, peerPort, jdkCompatibilityMode, true,
532                 endpointIdentificationAlgorithm, serverNames);
533     }
534 
535     /**
536      * Returns a new server-side {@link SSLEngine} with the current configuration.
537      */
538     @Override
539     public final SSLEngine newEngine(ByteBufAllocator alloc) {
540         return newEngine(alloc, null, -1);
541     }
542 
543     /**
544      * Returns the pointer to the {@code SSL_CTX} object for this {@link ReferenceCountedOpenSslContext}.
545      * Be aware that it is freed as soon as the {@link #finalize()}  method is called.
546      * At this point {@code 0} will be returned.
547      *
548      * @deprecated this method is considered unsafe as the returned pointer may be released later. Dont use it!
549      */
550     @Deprecated
551     public final long context() {
552         return sslCtxPointer();
553     }
554 
555     /**
556      * Returns the stats of this context.
557      *
558      * @deprecated use {@link #sessionContext#stats()}
559      */
560     @Deprecated
561     public final OpenSslSessionStats stats() {
562         return sessionContext().stats();
563     }
564 
565     /**
566      * {@deprecated Renegotiation is not supported}
567      * Specify if remote initiated renegotiation is supported or not. If not supported and the remote side tries
568      * to initiate a renegotiation a {@link SSLHandshakeException} will be thrown during decoding.
569      */
570     @Deprecated
571     public void setRejectRemoteInitiatedRenegotiation(boolean rejectRemoteInitiatedRenegotiation) {
572         if (!rejectRemoteInitiatedRenegotiation) {
573             throw new UnsupportedOperationException("Renegotiation is not supported");
574         }
575     }
576 
577     /**
578      * {@deprecated Renegotiation is not supported}
579      * @return {@code true} because renegotiation is not supported.
580      */
581     @Deprecated
582     public boolean getRejectRemoteInitiatedRenegotiation() {
583         return true;
584     }
585 
586     /**
587      * Set the size of the buffer used by the BIO for non-application based writes
588      * (e.g. handshake, renegotiation, etc...).
589      */
590     public void setBioNonApplicationBufferSize(int bioNonApplicationBufferSize) {
591         this.bioNonApplicationBufferSize =
592                 checkPositiveOrZero(bioNonApplicationBufferSize, "bioNonApplicationBufferSize");
593     }
594 
595     /**
596      * Returns the size of the buffer used by the BIO for non-application based writes
597      */
598     public int getBioNonApplicationBufferSize() {
599         return bioNonApplicationBufferSize;
600     }
601 
602     /**
603      * Sets the SSL session ticket keys of this context.
604      *
605      * @deprecated use {@link OpenSslSessionContext#setTicketKeys(byte[])}
606      */
607     @Deprecated
608     public final void setTicketKeys(byte[] keys) {
609         sessionContext().setTicketKeys(keys);
610     }
611 
612     @Override
613     public abstract OpenSslSessionContext sessionContext();
614 
615     /**
616      * Returns the pointer to the {@code SSL_CTX} object for this {@link ReferenceCountedOpenSslContext}.
617      * Be aware that it is freed as soon as the {@link #release()} method is called.
618      * At this point {@code 0} will be returned.
619      *
620      * @deprecated this method is considered unsafe as the returned pointer may be released later. Dont use it!
621      */
622     @Deprecated
623     public final long sslCtxPointer() {
624         Lock readerLock = ctxLock.readLock();
625         readerLock.lock();
626         try {
627             return SSLContext.getSslCtx(ctx);
628         } finally {
629             readerLock.unlock();
630         }
631     }
632 
633     /**
634      * Set the {@link OpenSslPrivateKeyMethod} to use. This allows to offload private-key operations
635      * if needed.
636      *
637      * This method is currently only supported when {@code BoringSSL} is used.
638      *
639      * @param        method method to use.
640      * @deprecated   use {@link SslContextBuilder#option(SslContextOption, Object)} with
641      *              {@link OpenSslContextOption#PRIVATE_KEY_METHOD}.
642      */
643     @Deprecated
644     @UnstableApi
645     public final void setPrivateKeyMethod(OpenSslPrivateKeyMethod method) {
646         checkNotNull(method, "method");
647         Lock writerLock = ctxLock.writeLock();
648         writerLock.lock();
649         try {
650             SSLContext.setPrivateKeyMethod(ctx, new PrivateKeyMethod(engineMap, method));
651         } finally {
652             writerLock.unlock();
653         }
654     }
655 
656     /**
657      * @deprecated   use {@link SslContextBuilder#option(SslContextOption, Object)} with
658      *              {@link OpenSslContextOption#USE_TASKS}.
659      */
660     @Deprecated
661     public final void setUseTasks(boolean useTasks) {
662         Lock writerLock = ctxLock.writeLock();
663         writerLock.lock();
664         try {
665             SSLContext.setUseTasks(ctx, useTasks);
666         } finally {
667             writerLock.unlock();
668         }
669     }
670 
671     // IMPORTANT: This method must only be called from either the constructor or the finalizer as a user MUST never
672     //            get access to an OpenSslSessionContext after this method was called to prevent the user from
673     //            producing a segfault.
674     private void destroy() {
675         Lock writerLock = ctxLock.writeLock();
676         writerLock.lock();
677         try {
678             if (ctx != 0) {
679                 if (enableOcsp) {
680                     SSLContext.disableOcsp(ctx);
681                 }
682 
683                 SSLContext.free(ctx);
684                 ctx = 0;
685 
686                 OpenSslSessionContext context = sessionContext();
687                 if (context != null) {
688                     context.destroy();
689                 }
690             }
691         } finally {
692             writerLock.unlock();
693         }
694     }
695 
696     protected static X509Certificate[] certificates(byte[][] chain) {
697         X509Certificate[] peerCerts = new X509Certificate[chain.length];
698         for (int i = 0; i < peerCerts.length; i++) {
699             peerCerts[i] = new LazyX509Certificate(chain[i]);
700         }
701         return peerCerts;
702     }
703 
704     /**
705      * @deprecated This method is kept for API backwards compatibility.
706      */
707     @Deprecated
708     protected static X509TrustManager chooseTrustManager(TrustManager[] managers) {
709         return chooseTrustManager(managers, null);
710     }
711 
712     static X509TrustManager chooseTrustManager(TrustManager[] managers,
713                                                          ResumptionController resumptionController) {
714         for (TrustManager m : managers) {
715             if (m instanceof X509TrustManager) {
716                 X509TrustManager tm = (X509TrustManager) m;
717                 if (resumptionController != null) {
718                     tm = (X509TrustManager) resumptionController.wrapIfNeeded(tm);
719                 }
720                 tm = OpenSslX509TrustManagerWrapper.wrapIfNeeded((X509TrustManager) m);
721                 if (useExtendedTrustManager(tm)) {
722                     // Wrap the TrustManager to provide a better exception message for users to debug hostname
723                     // validation failures.
724                     tm = new EnhancingX509ExtendedTrustManager(tm);
725                 }
726                 return tm;
727             }
728         }
729         throw new IllegalStateException("no X509TrustManager found");
730     }
731 
732     protected static X509KeyManager chooseX509KeyManager(KeyManager[] kms) {
733         for (KeyManager km : kms) {
734             if (km instanceof X509KeyManager) {
735                 return (X509KeyManager) km;
736             }
737         }
738         throw new IllegalStateException("no X509KeyManager found");
739     }
740 
741     /**
742      * Translate a {@link ApplicationProtocolConfig} object to a
743      * {@link OpenSslApplicationProtocolNegotiator} object.
744      *
745      * @param config The configuration which defines the translation
746      * @return The results of the translation
747      */
748     @SuppressWarnings("deprecation")
749     static OpenSslApplicationProtocolNegotiator toNegotiator(ApplicationProtocolConfig config) {
750         if (config == null) {
751             return NONE_PROTOCOL_NEGOTIATOR;
752         }
753 
754         switch (config.protocol()) {
755             case NONE:
756                 return NONE_PROTOCOL_NEGOTIATOR;
757             case ALPN:
758             case NPN:
759             case NPN_AND_ALPN:
760                 switch (config.selectedListenerFailureBehavior()) {
761                     case CHOOSE_MY_LAST_PROTOCOL:
762                     case ACCEPT:
763                         switch (config.selectorFailureBehavior()) {
764                             case CHOOSE_MY_LAST_PROTOCOL:
765                             case NO_ADVERTISE:
766                                 return new OpenSslDefaultApplicationProtocolNegotiator(
767                                         config);
768                             default:
769                                 throw new UnsupportedOperationException(
770                                         new StringBuilder("OpenSSL provider does not support ")
771                                                 .append(config.selectorFailureBehavior())
772                                                 .append(" behavior").toString());
773                         }
774                     default:
775                         throw new UnsupportedOperationException(
776                                 new StringBuilder("OpenSSL provider does not support ")
777                                         .append(config.selectedListenerFailureBehavior())
778                                         .append(" behavior").toString());
779                 }
780             default:
781                 throw new Error();
782         }
783     }
784 
785     static boolean useExtendedTrustManager(X509TrustManager trustManager) {
786         return trustManager instanceof X509ExtendedTrustManager;
787     }
788 
789     @Override
790     public final int refCnt() {
791         return refCnt.refCnt();
792     }
793 
794     @Override
795     public final ReferenceCounted retain() {
796         refCnt.retain();
797         return this;
798     }
799 
800     @Override
801     public final ReferenceCounted retain(int increment) {
802         refCnt.retain(increment);
803         return this;
804     }
805 
806     @Override
807     public final ReferenceCounted touch() {
808         refCnt.touch();
809         return this;
810     }
811 
812     @Override
813     public final ReferenceCounted touch(Object hint) {
814         refCnt.touch(hint);
815         return this;
816     }
817 
818     @Override
819     public final boolean release() {
820         return refCnt.release();
821     }
822 
823     @Override
824     public final boolean release(int decrement) {
825         return refCnt.release(decrement);
826     }
827 
828     abstract static class AbstractCertificateVerifier extends CertificateVerifier {
829         private final OpenSslEngineMap engineMap;
830 
831         AbstractCertificateVerifier(OpenSslEngineMap engineMap) {
832             this.engineMap = engineMap;
833         }
834 
835         @Override
836         public final int verify(long ssl, byte[][] chain, String auth) {
837             final ReferenceCountedOpenSslEngine engine = engineMap.get(ssl);
838             if (engine == null) {
839                 // May be null if it was destroyed in the meantime.
840                 return CertificateVerifier.X509_V_ERR_UNSPECIFIED;
841             }
842             X509Certificate[] peerCerts = certificates(chain);
843             try {
844                 verify(engine, peerCerts, auth);
845                 return CertificateVerifier.X509_V_OK;
846             } catch (Throwable cause) {
847                 logger.debug("verification of certificate failed", cause);
848                 engine.initHandshakeException(cause);
849 
850                 // Try to extract the correct error code that should be used.
851                 if (cause instanceof OpenSslCertificateException) {
852                     // This will never return a negative error code as its validated when constructing the
853                     // OpenSslCertificateException.
854                     return ((OpenSslCertificateException) cause).errorCode();
855                 }
856                 if (cause instanceof CertificateExpiredException) {
857                     return CertificateVerifier.X509_V_ERR_CERT_HAS_EXPIRED;
858                 }
859                 if (cause instanceof CertificateNotYetValidException) {
860                     return CertificateVerifier.X509_V_ERR_CERT_NOT_YET_VALID;
861                 }
862                 return translateToError(cause);
863             }
864         }
865 
866         private static int translateToError(Throwable cause) {
867             if (cause instanceof CertificateRevokedException) {
868                 return CertificateVerifier.X509_V_ERR_CERT_REVOKED;
869             }
870 
871             // The X509TrustManagerImpl uses a Validator which wraps a CertPathValidatorException into
872             // an CertificateException. So we need to handle the wrapped CertPathValidatorException to be
873             // able to send the correct alert.
874             Throwable wrapped = cause.getCause();
875             while (wrapped != null) {
876                 if (wrapped instanceof CertPathValidatorException) {
877                     CertPathValidatorException ex = (CertPathValidatorException) wrapped;
878                     CertPathValidatorException.Reason reason = ex.getReason();
879                     if (reason == CertPathValidatorException.BasicReason.EXPIRED) {
880                         return CertificateVerifier.X509_V_ERR_CERT_HAS_EXPIRED;
881                     }
882                     if (reason == CertPathValidatorException.BasicReason.NOT_YET_VALID) {
883                         return CertificateVerifier.X509_V_ERR_CERT_NOT_YET_VALID;
884                     }
885                     if (reason == CertPathValidatorException.BasicReason.REVOKED) {
886                         return CertificateVerifier.X509_V_ERR_CERT_REVOKED;
887                     }
888                 }
889                 wrapped = wrapped.getCause();
890             }
891             return CertificateVerifier.X509_V_ERR_UNSPECIFIED;
892         }
893 
894         abstract void verify(ReferenceCountedOpenSslEngine engine, X509Certificate[] peerCerts,
895                              String auth) throws Exception;
896     }
897 
898     private static final class DefaultOpenSslEngineMap implements OpenSslEngineMap {
899         private final Map<Long, ReferenceCountedOpenSslEngine> engines = new ConcurrentHashMap<>();
900 
901         @Override
902         public ReferenceCountedOpenSslEngine remove(long ssl) {
903             return engines.remove(ssl);
904         }
905 
906         @Override
907         public void add(ReferenceCountedOpenSslEngine engine) {
908             engines.put(engine.sslPointer(), engine);
909         }
910 
911         @Override
912         public ReferenceCountedOpenSslEngine get(long ssl) {
913             return engines.get(ssl);
914         }
915     }
916 
917     static void setKeyMaterial(long ctx, X509Certificate[] keyCertChain, PrivateKey key, String keyPassword)
918             throws SSLException {
919          /* Load the certificate file and private key. */
920         long keyBio = 0;
921         long keyCertChainBio = 0;
922         long keyCertChainBio2 = 0;
923         PemEncoded encoded = null;
924         try {
925             // Only encode one time
926             encoded = PemX509Certificate.toPEM(ByteBufAllocator.DEFAULT, true, keyCertChain);
927             keyCertChainBio = toBIO(ByteBufAllocator.DEFAULT, encoded.retain());
928             keyCertChainBio2 = toBIO(ByteBufAllocator.DEFAULT, encoded.retain());
929 
930             if (key != null) {
931                 keyBio = toBIO(ByteBufAllocator.DEFAULT, key);
932             }
933 
934             SSLContext.setCertificateBio(
935                     ctx, keyCertChainBio, keyBio,
936                     keyPassword == null ? StringUtil.EMPTY_STRING : keyPassword);
937             // We may have more then one cert in the chain so add all of them now.
938             SSLContext.setCertificateChainBio(ctx, keyCertChainBio2, true);
939         } catch (SSLException e) {
940             throw e;
941         } catch (Exception e) {
942             throw new SSLException("failed to set certificate and key", e);
943         } finally {
944             freeBio(keyBio);
945             freeBio(keyCertChainBio);
946             freeBio(keyCertChainBio2);
947             if (encoded != null) {
948                 encoded.release();
949             }
950         }
951     }
952 
953     static void freeBio(long bio) {
954         if (bio != 0) {
955             SSL.freeBIO(bio);
956         }
957     }
958 
959     /**
960      * Return the pointer to a <a href="https://www.openssl.org/docs/crypto/BIO_get_mem_ptr.html">in-memory BIO</a>
961      * or {@code 0} if the {@code key} is {@code null}. The BIO contains the content of the {@code key}.
962      */
963     static long toBIO(ByteBufAllocator allocator, PrivateKey key) throws Exception {
964         if (key == null) {
965             return 0;
966         }
967 
968         PemEncoded pem = PemPrivateKey.toPEM(allocator, true, key);
969         try {
970             return toBIO(allocator, pem.retain());
971         } finally {
972             pem.release();
973         }
974     }
975 
976     /**
977      * Return the pointer to a <a href="https://www.openssl.org/docs/crypto/BIO_get_mem_ptr.html">in-memory BIO</a>
978      * or {@code 0} if the {@code certChain} is {@code null}. The BIO contains the content of the {@code certChain}.
979      */
980     static long toBIO(ByteBufAllocator allocator, X509Certificate... certChain) throws Exception {
981         if (certChain == null) {
982             return 0;
983         }
984 
985         checkNonEmpty(certChain, "certChain");
986 
987         PemEncoded pem = PemX509Certificate.toPEM(allocator, true, certChain);
988         try {
989             return toBIO(allocator, pem.retain());
990         } finally {
991             pem.release();
992         }
993     }
994 
995     static long toBIO(ByteBufAllocator allocator, PemEncoded pem) throws Exception {
996         try {
997             // We can turn direct buffers straight into BIOs. No need to
998             // make a yet another copy.
999             ByteBuf content = pem.content();
1000 
1001             if (content.isDirect()) {
1002                 return newBIO(content.retainedSlice());
1003             }
1004 
1005             ByteBuf buffer = allocator.directBuffer(content.readableBytes());
1006             try {
1007                 buffer.writeBytes(content, content.readerIndex(), content.readableBytes());
1008                 return newBIO(buffer.retainedSlice());
1009             } finally {
1010                 try {
1011                     // If the contents of the ByteBuf is sensitive (e.g. a PrivateKey) we
1012                     // need to zero out the bytes of the copy before we're releasing it.
1013                     if (pem.isSensitive()) {
1014                         SslUtils.zeroout(buffer);
1015                     }
1016                 } finally {
1017                     buffer.release();
1018                 }
1019             }
1020         } finally {
1021             pem.release();
1022         }
1023     }
1024 
1025     private static long newBIO(ByteBuf buffer) throws Exception {
1026         try {
1027             long bio = SSL.newMemBIO();
1028             int readable = buffer.readableBytes();
1029             if (SSL.bioWrite(bio, OpenSsl.memoryAddress(buffer) + buffer.readerIndex(), readable) != readable) {
1030                 SSL.freeBIO(bio);
1031                 throw new IllegalStateException("Could not write data to memory BIO");
1032             }
1033             return bio;
1034         } finally {
1035             buffer.release();
1036         }
1037     }
1038 
1039     /**
1040      * Returns the {@link OpenSslKeyMaterialProvider} that should be used for OpenSSL. Depending on the given
1041      * {@link KeyManagerFactory} this may cache the {@link OpenSslKeyMaterial} for better performance if it can
1042      * ensure that the same material is always returned for the same alias.
1043      */
1044     static OpenSslKeyMaterialProvider providerFor(KeyManagerFactory factory, String password) {
1045         if (factory instanceof OpenSslX509KeyManagerFactory) {
1046             return ((OpenSslX509KeyManagerFactory) factory).newProvider();
1047         }
1048 
1049         if (factory instanceof OpenSslCachingX509KeyManagerFactory) {
1050             // The user explicit used OpenSslCachingX509KeyManagerFactory which signals us that its fine to cache.
1051             return ((OpenSslCachingX509KeyManagerFactory) factory).newProvider(password);
1052         }
1053         // We can not be sure if the material may change at runtime so we will not cache it.
1054         return new OpenSslKeyMaterialProvider(chooseX509KeyManager(factory.getKeyManagers()), password);
1055     }
1056 
1057     private static ReferenceCountedOpenSslEngine retrieveEngine(OpenSslEngineMap engineMap, long ssl)
1058             throws SSLException {
1059         ReferenceCountedOpenSslEngine engine = engineMap.get(ssl);
1060         if (engine == null) {
1061             throw new SSLException("Could not find a " +
1062                     StringUtil.simpleClassName(ReferenceCountedOpenSslEngine.class) + " for sslPointer " + ssl);
1063         }
1064         return engine;
1065     }
1066 
1067     private static final class PrivateKeyMethod implements SSLPrivateKeyMethod {
1068 
1069         private final OpenSslEngineMap engineMap;
1070         private final OpenSslPrivateKeyMethod keyMethod;
1071         PrivateKeyMethod(OpenSslEngineMap engineMap, OpenSslPrivateKeyMethod keyMethod) {
1072             this.engineMap = engineMap;
1073             this.keyMethod = keyMethod;
1074         }
1075 
1076         @Override
1077         public byte[] sign(long ssl, int signatureAlgorithm, byte[] digest) throws Exception {
1078             ReferenceCountedOpenSslEngine engine = retrieveEngine(engineMap, ssl);
1079             try {
1080                 return verifyResult(keyMethod.sign(engine, signatureAlgorithm, digest));
1081             } catch (Exception e) {
1082                 engine.initHandshakeException(e);
1083                 throw e;
1084             }
1085         }
1086 
1087         @Override
1088         public byte[] decrypt(long ssl, byte[] input) throws Exception {
1089             ReferenceCountedOpenSslEngine engine = retrieveEngine(engineMap, ssl);
1090             try {
1091                 return verifyResult(keyMethod.decrypt(engine, input));
1092             } catch (Exception e) {
1093                 engine.initHandshakeException(e);
1094                 throw e;
1095             }
1096         }
1097     }
1098 
1099     private static final class AsyncPrivateKeyMethod implements AsyncSSLPrivateKeyMethod {
1100 
1101         private final OpenSslEngineMap engineMap;
1102         private final OpenSslAsyncPrivateKeyMethod keyMethod;
1103 
1104         AsyncPrivateKeyMethod(OpenSslEngineMap engineMap, OpenSslAsyncPrivateKeyMethod keyMethod) {
1105             this.engineMap = engineMap;
1106             this.keyMethod = keyMethod;
1107         }
1108 
1109         @Override
1110         public void sign(long ssl, int signatureAlgorithm, byte[] bytes, ResultCallback<byte[]> resultCallback) {
1111             try {
1112                 ReferenceCountedOpenSslEngine engine = retrieveEngine(engineMap, ssl);
1113                 keyMethod.sign(engine, signatureAlgorithm, bytes)
1114                         .addListener(new ResultCallbackListener(engine, ssl, resultCallback));
1115             } catch (SSLException e) {
1116                 resultCallback.onError(ssl, e);
1117             }
1118         }
1119 
1120         @Override
1121         public void decrypt(long ssl, byte[] bytes, ResultCallback<byte[]> resultCallback) {
1122             try {
1123                 ReferenceCountedOpenSslEngine engine = retrieveEngine(engineMap, ssl);
1124                 keyMethod.decrypt(engine, bytes)
1125                         .addListener(new ResultCallbackListener(engine, ssl, resultCallback));
1126             } catch (SSLException e) {
1127                 resultCallback.onError(ssl, e);
1128             }
1129         }
1130 
1131         private static final class ResultCallbackListener implements FutureListener<byte[]> {
1132             private final ReferenceCountedOpenSslEngine engine;
1133             private final long ssl;
1134             private final ResultCallback<byte[]> resultCallback;
1135 
1136             ResultCallbackListener(ReferenceCountedOpenSslEngine engine, long ssl,
1137                                    ResultCallback<byte[]> resultCallback) {
1138                 this.engine = engine;
1139                 this.ssl = ssl;
1140                 this.resultCallback = resultCallback;
1141             }
1142 
1143             @Override
1144             public void operationComplete(Future<byte[]> future) {
1145                 Throwable cause = future.cause();
1146                 if (cause == null) {
1147                     try {
1148                         byte[] result = verifyResult(future.getNow());
1149                         resultCallback.onSuccess(ssl, result);
1150                         return;
1151                     } catch (SignatureException e) {
1152                         cause = e;
1153                         engine.initHandshakeException(e);
1154                     }
1155                 }
1156                 resultCallback.onError(ssl, cause);
1157             }
1158         }
1159     }
1160 
1161     private static byte[] verifyResult(byte[] result) throws SignatureException {
1162         if (result == null) {
1163             throw new SignatureException();
1164         }
1165         return result;
1166     }
1167 
1168     private static final class CompressionAlgorithm implements CertificateCompressionAlgo {
1169         private final OpenSslEngineMap engineMap;
1170         private final OpenSslCertificateCompressionAlgorithm compressionAlgorithm;
1171 
1172         CompressionAlgorithm(OpenSslEngineMap engineMap, OpenSslCertificateCompressionAlgorithm compressionAlgorithm) {
1173             this.engineMap = engineMap;
1174             this.compressionAlgorithm = compressionAlgorithm;
1175         }
1176 
1177         @Override
1178         public byte[] compress(long ssl, byte[] bytes) throws Exception {
1179             ReferenceCountedOpenSslEngine engine = retrieveEngine(engineMap, ssl);
1180             return compressionAlgorithm.compress(engine, bytes);
1181         }
1182 
1183         @Override
1184         public byte[] decompress(long ssl, int len, byte[] bytes) throws Exception {
1185             ReferenceCountedOpenSslEngine engine = retrieveEngine(engineMap, ssl);
1186             return compressionAlgorithm.decompress(engine, len, bytes);
1187         }
1188 
1189         @Override
1190         public int algorithmId() {
1191             return compressionAlgorithm.algorithmId();
1192         }
1193     }
1194 }