1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 package io.netty.handler.ssl;
17
18 import io.netty.buffer.ByteBuf;
19 import io.netty.buffer.ByteBufAllocator;
20 import io.netty.handler.ssl.util.LazyX509Certificate;
21 import io.netty.internal.tcnative.AsyncSSLPrivateKeyMethod;
22 import io.netty.internal.tcnative.CertificateCompressionAlgo;
23 import io.netty.internal.tcnative.CertificateVerifier;
24 import io.netty.internal.tcnative.ResultCallback;
25 import io.netty.internal.tcnative.SSL;
26 import io.netty.internal.tcnative.SSLContext;
27 import io.netty.internal.tcnative.SSLPrivateKeyMethod;
28 import io.netty.util.AbstractReferenceCounted;
29 import io.netty.util.ReferenceCounted;
30 import io.netty.util.ResourceLeakDetector;
31 import io.netty.util.ResourceLeakDetectorFactory;
32 import io.netty.util.ResourceLeakTracker;
33 import io.netty.util.concurrent.Future;
34 import io.netty.util.concurrent.FutureListener;
35 import io.netty.util.concurrent.ImmediateExecutor;
36 import io.netty.util.internal.EmptyArrays;
37 import io.netty.util.internal.StringUtil;
38 import io.netty.util.internal.SystemPropertyUtil;
39 import io.netty.util.internal.UnstableApi;
40 import io.netty.util.internal.logging.InternalLogger;
41 import io.netty.util.internal.logging.InternalLoggerFactory;
42
43 import java.security.PrivateKey;
44 import java.security.SignatureException;
45 import java.security.cert.CertPathValidatorException;
46 import java.security.cert.Certificate;
47 import java.security.cert.CertificateExpiredException;
48 import java.security.cert.CertificateNotYetValidException;
49 import java.security.cert.CertificateRevokedException;
50 import java.security.cert.X509Certificate;
51 import java.util.ArrayList;
52 import java.util.Arrays;
53 import java.util.Collections;
54 import java.util.LinkedHashSet;
55 import java.util.List;
56 import java.util.Map;
57 import java.util.Set;
58 import java.util.concurrent.ConcurrentHashMap;
59 import java.util.concurrent.Executor;
60 import java.util.concurrent.locks.Lock;
61 import java.util.concurrent.locks.ReadWriteLock;
62 import java.util.concurrent.locks.ReentrantReadWriteLock;
63 import javax.net.ssl.KeyManager;
64 import javax.net.ssl.KeyManagerFactory;
65 import javax.net.ssl.SNIServerName;
66 import javax.net.ssl.SSLEngine;
67 import javax.net.ssl.SSLException;
68 import javax.net.ssl.SSLHandshakeException;
69 import javax.net.ssl.TrustManager;
70 import javax.net.ssl.X509ExtendedTrustManager;
71 import javax.net.ssl.X509KeyManager;
72 import javax.net.ssl.X509TrustManager;
73
74 import static io.netty.handler.ssl.OpenSsl.DEFAULT_CIPHERS;
75 import static io.netty.handler.ssl.OpenSsl.availableJavaCipherSuites;
76 import static io.netty.util.internal.ObjectUtil.checkNonEmpty;
77 import static io.netty.util.internal.ObjectUtil.checkNotNull;
78 import static io.netty.util.internal.ObjectUtil.checkPositiveOrZero;
79
80
81
82
83
84
85
86
87
88
89 public abstract class ReferenceCountedOpenSslContext extends SslContext implements ReferenceCounted {
90 private static final InternalLogger logger =
91 InternalLoggerFactory.getInstance(ReferenceCountedOpenSslContext.class);
92
93 private static final int DEFAULT_BIO_NON_APPLICATION_BUFFER_SIZE = Math.max(1,
94 SystemPropertyUtil.getInt("io.netty.handler.ssl.openssl.bioNonApplicationBufferSize",
95 2048));
96
97 static final boolean USE_TASKS =
98 SystemPropertyUtil.getBoolean("io.netty.handler.ssl.openssl.useTasks", true);
99 private static final Integer DH_KEY_LENGTH;
100 private static final ResourceLeakDetector<ReferenceCountedOpenSslContext> leakDetector =
101 ResourceLeakDetectorFactory.instance().newResourceLeakDetector(ReferenceCountedOpenSslContext.class);
102
103
104 protected static final int VERIFY_DEPTH = 10;
105
106 static final boolean CLIENT_ENABLE_SESSION_TICKET =
107 SystemPropertyUtil.getBoolean("jdk.tls.client.enableSessionTicketExtension", false);
108
109 static final boolean CLIENT_ENABLE_SESSION_TICKET_TLSV13 =
110 SystemPropertyUtil.getBoolean("jdk.tls.client.enableSessionTicketExtension", true);
111
112 static final boolean SERVER_ENABLE_SESSION_TICKET =
113 SystemPropertyUtil.getBoolean("jdk.tls.server.enableSessionTicketExtension", false);
114
115 static final boolean SERVER_ENABLE_SESSION_TICKET_TLSV13 =
116 SystemPropertyUtil.getBoolean("jdk.tls.server.enableSessionTicketExtension", true);
117
118 static final boolean SERVER_ENABLE_SESSION_CACHE =
119 SystemPropertyUtil.getBoolean("io.netty.handler.ssl.openssl.sessionCacheServer", true);
120 static final boolean CLIENT_ENABLE_SESSION_CACHE =
121 SystemPropertyUtil.getBoolean("io.netty.handler.ssl.openssl.sessionCacheClient", true);
122
123
124
125
126
127
128 protected long ctx;
129 private final List<String> unmodifiableCiphers;
130 private final OpenSslApplicationProtocolNegotiator apn;
131 private final int mode;
132
133
134 private final ResourceLeakTracker<ReferenceCountedOpenSslContext> leak;
135 private final AbstractReferenceCounted refCnt = new AbstractReferenceCounted() {
136 @Override
137 public ReferenceCounted touch(Object hint) {
138 if (leak != null) {
139 leak.record(hint);
140 }
141
142 return ReferenceCountedOpenSslContext.this;
143 }
144
145 @Override
146 protected void deallocate() {
147 destroy();
148 if (leak != null) {
149 boolean closed = leak.close(ReferenceCountedOpenSslContext.this);
150 assert closed;
151 }
152 }
153 };
154
155 final Certificate[] keyCertChain;
156 final ClientAuth clientAuth;
157 final String[] protocols;
158 final String endpointIdentificationAlgorithm;
159 final List<SNIServerName> serverNames;
160 final boolean hasTLSv13Cipher;
161 final boolean hasTmpDhKeys;
162
163 final boolean enableOcsp;
164 final OpenSslEngineMap engineMap = new DefaultOpenSslEngineMap();
165 final ReadWriteLock ctxLock = new ReentrantReadWriteLock();
166
167 private volatile int bioNonApplicationBufferSize = DEFAULT_BIO_NON_APPLICATION_BUFFER_SIZE;
168
169 @SuppressWarnings("deprecation")
170 static final OpenSslApplicationProtocolNegotiator NONE_PROTOCOL_NEGOTIATOR =
171 new OpenSslApplicationProtocolNegotiator() {
172 @Override
173 public ApplicationProtocolConfig.Protocol protocol() {
174 return ApplicationProtocolConfig.Protocol.NONE;
175 }
176
177 @Override
178 public List<String> protocols() {
179 return Collections.emptyList();
180 }
181
182 @Override
183 public ApplicationProtocolConfig.SelectorFailureBehavior selectorFailureBehavior() {
184 return ApplicationProtocolConfig.SelectorFailureBehavior.CHOOSE_MY_LAST_PROTOCOL;
185 }
186
187 @Override
188 public ApplicationProtocolConfig.SelectedListenerFailureBehavior selectedListenerFailureBehavior() {
189 return ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT;
190 }
191 };
192
193 static {
194 Integer dhLen = null;
195
196 try {
197 String dhKeySize = SystemPropertyUtil.get("jdk.tls.ephemeralDHKeySize");
198 if (dhKeySize != null) {
199 try {
200 dhLen = Integer.valueOf(dhKeySize);
201 } catch (NumberFormatException e) {
202 logger.debug("ReferenceCountedOpenSslContext supports -Djdk.tls.ephemeralDHKeySize={int}, but got: "
203 + dhKeySize);
204 }
205 }
206 } catch (Throwable ignore) {
207
208 }
209 DH_KEY_LENGTH = dhLen;
210 }
211
212 final boolean tlsFalseStart;
213
214 ReferenceCountedOpenSslContext(Iterable<String> ciphers, CipherSuiteFilter cipherFilter,
215 OpenSslApplicationProtocolNegotiator apn, int mode, Certificate[] keyCertChain,
216 ClientAuth clientAuth, String[] protocols, boolean startTls,
217 String endpointIdentificationAlgorithm, boolean enableOcsp,
218 boolean leakDetection, List<SNIServerName> serverNames,
219 ResumptionController resumptionController,
220 Map.Entry<SslContextOption<?>, Object>... ctxOptions)
221 throws SSLException {
222 super(startTls, resumptionController);
223
224 OpenSsl.ensureAvailability();
225
226 if (enableOcsp && !OpenSsl.isOcspSupported()) {
227 throw new IllegalStateException("OCSP is not supported.");
228 }
229
230 if (mode != SSL.SSL_MODE_SERVER && mode != SSL.SSL_MODE_CLIENT) {
231 throw new IllegalArgumentException("mode most be either SSL.SSL_MODE_SERVER or SSL.SSL_MODE_CLIENT");
232 }
233
234 boolean tlsFalseStart = false;
235 boolean useTasks = USE_TASKS;
236 OpenSslPrivateKeyMethod privateKeyMethod = null;
237 OpenSslAsyncPrivateKeyMethod asyncPrivateKeyMethod = null;
238 OpenSslCertificateCompressionConfig certCompressionConfig = null;
239 Integer maxCertificateList = null;
240 Integer tmpDhKeyLength = null;
241 String[] groups = OpenSsl.NAMED_GROUPS;
242 if (ctxOptions != null) {
243 for (Map.Entry<SslContextOption<?>, Object> ctxOpt : ctxOptions) {
244 SslContextOption<?> option = ctxOpt.getKey();
245
246 if (option == OpenSslContextOption.TLS_FALSE_START) {
247 tlsFalseStart = (Boolean) ctxOpt.getValue();
248 } else if (option == OpenSslContextOption.USE_TASKS) {
249 useTasks = (Boolean) ctxOpt.getValue();
250 } else if (option == OpenSslContextOption.PRIVATE_KEY_METHOD) {
251 privateKeyMethod = (OpenSslPrivateKeyMethod) ctxOpt.getValue();
252 } else if (option == OpenSslContextOption.ASYNC_PRIVATE_KEY_METHOD) {
253 asyncPrivateKeyMethod = (OpenSslAsyncPrivateKeyMethod) ctxOpt.getValue();
254 } else if (option == OpenSslContextOption.CERTIFICATE_COMPRESSION_ALGORITHMS) {
255 certCompressionConfig = (OpenSslCertificateCompressionConfig) ctxOpt.getValue();
256 } else if (option == OpenSslContextOption.MAX_CERTIFICATE_LIST_BYTES) {
257 maxCertificateList = (Integer) ctxOpt.getValue();
258 } else if (option == OpenSslContextOption.TMP_DH_KEYLENGTH) {
259 tmpDhKeyLength = (Integer) ctxOpt.getValue();
260 } else if (option == OpenSslContextOption.GROUPS) {
261 String[] groupsArray = (String[]) ctxOpt.getValue();
262 Set<String> groupsSet = new LinkedHashSet<String>(groupsArray.length);
263 for (String group : groupsArray) {
264 groupsSet.add(GroupsConverter.toOpenSsl(group));
265 }
266 groups = groupsSet.toArray(EmptyArrays.EMPTY_STRINGS);
267 } else {
268 logger.debug("Skipping unsupported " + SslContextOption.class.getSimpleName()
269 + ": " + ctxOpt.getKey());
270 }
271 }
272 }
273 if (privateKeyMethod != null && asyncPrivateKeyMethod != null) {
274 throw new IllegalArgumentException("You can either only use "
275 + OpenSslAsyncPrivateKeyMethod.class.getSimpleName() + " or "
276 + OpenSslPrivateKeyMethod.class.getSimpleName());
277 }
278
279 this.tlsFalseStart = tlsFalseStart;
280
281 leak = leakDetection ? leakDetector.track(this) : null;
282 this.mode = mode;
283 this.clientAuth = isServer() ? checkNotNull(clientAuth, "clientAuth") : ClientAuth.NONE;
284 this.protocols = protocols == null ? OpenSsl.defaultProtocols(mode == SSL.SSL_MODE_CLIENT) : protocols;
285 this.endpointIdentificationAlgorithm = endpointIdentificationAlgorithm;
286 this.serverNames = serverNames;
287 this.enableOcsp = enableOcsp;
288
289 this.keyCertChain = keyCertChain == null ? null : keyCertChain.clone();
290
291 String[] suites = checkNotNull(cipherFilter, "cipherFilter").filterCipherSuites(
292 ciphers, DEFAULT_CIPHERS, availableJavaCipherSuites());
293
294 LinkedHashSet<String> suitesSet = new LinkedHashSet<String>(suites.length);
295 Collections.addAll(suitesSet, suites);
296 unmodifiableCiphers = new ArrayList<String>(suitesSet);
297
298 this.apn = checkNotNull(apn, "apn");
299
300
301 boolean success = false;
302 try {
303 boolean tlsv13Supported = OpenSsl.isTlsv13Supported();
304 boolean anyTlsv13Ciphers = false;
305 try {
306 int protocolOpts = SSL.SSL_PROTOCOL_SSLV3 | SSL.SSL_PROTOCOL_TLSV1 |
307 SSL.SSL_PROTOCOL_TLSV1_1 | SSL.SSL_PROTOCOL_TLSV1_2;
308 if (tlsv13Supported) {
309 protocolOpts |= SSL.SSL_PROTOCOL_TLSV1_3;
310 }
311 ctx = SSLContext.make(protocolOpts, mode);
312 } catch (Exception e) {
313 throw new SSLException("failed to create an SSL_CTX", e);
314 }
315
316 StringBuilder cipherBuilder = new StringBuilder();
317 StringBuilder cipherTLSv13Builder = new StringBuilder();
318
319
320 try {
321 if (unmodifiableCiphers.isEmpty()) {
322
323 SSLContext.setCipherSuite(ctx, StringUtil.EMPTY_STRING, false);
324 if (tlsv13Supported) {
325
326 SSLContext.setCipherSuite(ctx, StringUtil.EMPTY_STRING, true);
327 }
328 } else {
329 CipherSuiteConverter.convertToCipherStrings(
330 unmodifiableCiphers, cipherBuilder, cipherTLSv13Builder, OpenSsl.isBoringSSL());
331
332
333 SSLContext.setCipherSuite(ctx, cipherBuilder.toString(), false);
334 if (tlsv13Supported) {
335
336 String tlsv13Ciphers = OpenSsl.checkTls13Ciphers(logger, cipherTLSv13Builder.toString());
337 SSLContext.setCipherSuite(ctx, tlsv13Ciphers, true);
338 if (!tlsv13Ciphers.isEmpty()) {
339 anyTlsv13Ciphers = true;
340 }
341 }
342 }
343 } catch (SSLException e) {
344 throw e;
345 } catch (Exception e) {
346 throw new SSLException("failed to set cipher suite: " + unmodifiableCiphers, e);
347 }
348
349 int options = SSLContext.getOptions(ctx) |
350 SSL.SSL_OP_NO_SSLv2 |
351 SSL.SSL_OP_NO_SSLv3 |
352
353
354
355 SSL.SSL_OP_NO_TLSv1 |
356 SSL.SSL_OP_NO_TLSv1_1 |
357
358 SSL.SSL_OP_CIPHER_SERVER_PREFERENCE |
359
360
361 SSL.SSL_OP_NO_COMPRESSION |
362
363
364
365
366
367 SSL.SSL_OP_NO_TICKET;
368
369 if (cipherBuilder.length() == 0) {
370
371 options |= SSL.SSL_OP_NO_SSLv2 | SSL.SSL_OP_NO_SSLv3 | SSL.SSL_OP_NO_TLSv1
372 | SSL.SSL_OP_NO_TLSv1_1 | SSL.SSL_OP_NO_TLSv1_2;
373 }
374
375 if (!tlsv13Supported) {
376
377
378
379 options |= SSL.SSL_OP_NO_TLSv1_3;
380 }
381
382 hasTLSv13Cipher = anyTlsv13Ciphers;
383 SSLContext.setOptions(ctx, options);
384
385
386
387
388 SSLContext.setMode(ctx, SSLContext.getMode(ctx) | SSL.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
389
390 if (tmpDhKeyLength != null) {
391 SSLContext.setTmpDHLength(ctx, tmpDhKeyLength);
392 hasTmpDhKeys = true;
393 } else if (DH_KEY_LENGTH != null) {
394 SSLContext.setTmpDHLength(ctx, DH_KEY_LENGTH);
395 hasTmpDhKeys = true;
396 } else {
397 hasTmpDhKeys = false;
398 }
399
400 List<String> nextProtoList = apn.protocols();
401
402 if (!nextProtoList.isEmpty()) {
403 String[] appProtocols = nextProtoList.toArray(EmptyArrays.EMPTY_STRINGS);
404 int selectorBehavior = opensslSelectorFailureBehavior(apn.selectorFailureBehavior());
405
406 switch (apn.protocol()) {
407 case NPN:
408 SSLContext.setNpnProtos(ctx, appProtocols, selectorBehavior);
409 break;
410 case ALPN:
411 SSLContext.setAlpnProtos(ctx, appProtocols, selectorBehavior);
412 break;
413 case NPN_AND_ALPN:
414 SSLContext.setNpnProtos(ctx, appProtocols, selectorBehavior);
415 SSLContext.setAlpnProtos(ctx, appProtocols, selectorBehavior);
416 break;
417 default:
418 throw new Error();
419 }
420 }
421
422 if (enableOcsp) {
423 SSLContext.enableOcsp(ctx, isClient());
424 }
425
426 SSLContext.setUseTasks(ctx, useTasks);
427 if (privateKeyMethod != null) {
428 SSLContext.setPrivateKeyMethod(ctx, new PrivateKeyMethod(engineMap, privateKeyMethod));
429 }
430 if (asyncPrivateKeyMethod != null) {
431 SSLContext.setPrivateKeyMethod(ctx, new AsyncPrivateKeyMethod(engineMap, asyncPrivateKeyMethod));
432 }
433 if (certCompressionConfig != null) {
434 for (OpenSslCertificateCompressionConfig.AlgorithmConfig configPair : certCompressionConfig) {
435 final CertificateCompressionAlgo algo = new CompressionAlgorithm(engineMap, configPair.algorithm());
436 switch (configPair.mode()) {
437 case Decompress:
438 SSLContext.addCertificateCompressionAlgorithm(
439 ctx, SSL.SSL_CERT_COMPRESSION_DIRECTION_DECOMPRESS, algo);
440 break;
441 case Compress:
442 SSLContext.addCertificateCompressionAlgorithm(
443 ctx, SSL.SSL_CERT_COMPRESSION_DIRECTION_COMPRESS, algo);
444 break;
445 case Both:
446 SSLContext.addCertificateCompressionAlgorithm(
447 ctx, SSL.SSL_CERT_COMPRESSION_DIRECTION_BOTH, algo);
448 break;
449 default:
450 throw new IllegalStateException();
451 }
452 }
453 }
454 if (maxCertificateList != null) {
455 SSLContext.setMaxCertList(ctx, maxCertificateList);
456 }
457
458
459 if (groups.length > 0 && !SSLContext.setCurvesList(ctx, groups)) {
460 String msg = "failed to set curves / groups suite: " + Arrays.toString(groups);
461 int err = SSL.getLastErrorNumber();
462 if (err != 0) {
463
464 msg += ". " + SSL.getErrorString(err);
465 }
466 throw new SSLException(msg);
467 }
468 success = true;
469 } finally {
470 if (!success) {
471 release();
472 }
473 }
474 }
475
476 private static int opensslSelectorFailureBehavior(ApplicationProtocolConfig.SelectorFailureBehavior behavior) {
477 switch (behavior) {
478 case NO_ADVERTISE:
479 return SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE;
480 case CHOOSE_MY_LAST_PROTOCOL:
481 return SSL.SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL;
482 default:
483 throw new Error();
484 }
485 }
486
487 @Override
488 public final List<String> cipherSuites() {
489 return unmodifiableCiphers;
490 }
491
492 @Override
493 public ApplicationProtocolNegotiator applicationProtocolNegotiator() {
494 return apn;
495 }
496
497 @Override
498 public final boolean isClient() {
499 return mode == SSL.SSL_MODE_CLIENT;
500 }
501
502 @Override
503 public final SSLEngine newEngine(ByteBufAllocator alloc, String peerHost, int peerPort) {
504 return newEngine0(alloc, peerHost, peerPort, true);
505 }
506
507 @Override
508 protected final SslHandler newHandler(ByteBufAllocator alloc, boolean startTls) {
509 return new SslHandler(newEngine0(alloc, null, -1, false), startTls, ImmediateExecutor.INSTANCE,
510 resumptionController);
511 }
512
513 @Override
514 protected final SslHandler newHandler(ByteBufAllocator alloc, String peerHost, int peerPort, boolean startTls) {
515 return new SslHandler(newEngine0(alloc, peerHost, peerPort, false), startTls, ImmediateExecutor.INSTANCE,
516 resumptionController);
517 }
518
519 @Override
520 protected SslHandler newHandler(ByteBufAllocator alloc, boolean startTls, Executor executor) {
521 return new SslHandler(newEngine0(alloc, null, -1, false), startTls, executor, resumptionController);
522 }
523
524 @Override
525 protected SslHandler newHandler(ByteBufAllocator alloc, String peerHost, int peerPort,
526 boolean startTls, Executor executor) {
527 return new SslHandler(newEngine0(alloc, peerHost, peerPort, false), false, executor, resumptionController);
528 }
529
530 SSLEngine newEngine0(ByteBufAllocator alloc, String peerHost, int peerPort, boolean jdkCompatibilityMode) {
531 return new ReferenceCountedOpenSslEngine(this, alloc, peerHost, peerPort, jdkCompatibilityMode, true,
532 endpointIdentificationAlgorithm, serverNames);
533 }
534
535
536
537
538 @Override
539 public final SSLEngine newEngine(ByteBufAllocator alloc) {
540 return newEngine(alloc, null, -1);
541 }
542
543
544
545
546
547
548
549
550 @Deprecated
551 public final long context() {
552 return sslCtxPointer();
553 }
554
555
556
557
558
559
560 @Deprecated
561 public final OpenSslSessionStats stats() {
562 return sessionContext().stats();
563 }
564
565
566
567
568
569
570 @Deprecated
571 public void setRejectRemoteInitiatedRenegotiation(boolean rejectRemoteInitiatedRenegotiation) {
572 if (!rejectRemoteInitiatedRenegotiation) {
573 throw new UnsupportedOperationException("Renegotiation is not supported");
574 }
575 }
576
577
578
579
580
581 @Deprecated
582 public boolean getRejectRemoteInitiatedRenegotiation() {
583 return true;
584 }
585
586
587
588
589
590 public void setBioNonApplicationBufferSize(int bioNonApplicationBufferSize) {
591 this.bioNonApplicationBufferSize =
592 checkPositiveOrZero(bioNonApplicationBufferSize, "bioNonApplicationBufferSize");
593 }
594
595
596
597
598 public int getBioNonApplicationBufferSize() {
599 return bioNonApplicationBufferSize;
600 }
601
602
603
604
605
606
607 @Deprecated
608 public final void setTicketKeys(byte[] keys) {
609 sessionContext().setTicketKeys(keys);
610 }
611
612 @Override
613 public abstract OpenSslSessionContext sessionContext();
614
615
616
617
618
619
620
621
622 @Deprecated
623 public final long sslCtxPointer() {
624 Lock readerLock = ctxLock.readLock();
625 readerLock.lock();
626 try {
627 return SSLContext.getSslCtx(ctx);
628 } finally {
629 readerLock.unlock();
630 }
631 }
632
633
634
635
636
637
638
639
640
641
642
643 @Deprecated
644 @UnstableApi
645 public final void setPrivateKeyMethod(OpenSslPrivateKeyMethod method) {
646 checkNotNull(method, "method");
647 Lock writerLock = ctxLock.writeLock();
648 writerLock.lock();
649 try {
650 SSLContext.setPrivateKeyMethod(ctx, new PrivateKeyMethod(engineMap, method));
651 } finally {
652 writerLock.unlock();
653 }
654 }
655
656
657
658
659
660 @Deprecated
661 public final void setUseTasks(boolean useTasks) {
662 Lock writerLock = ctxLock.writeLock();
663 writerLock.lock();
664 try {
665 SSLContext.setUseTasks(ctx, useTasks);
666 } finally {
667 writerLock.unlock();
668 }
669 }
670
671
672
673
674 private void destroy() {
675 Lock writerLock = ctxLock.writeLock();
676 writerLock.lock();
677 try {
678 if (ctx != 0) {
679 if (enableOcsp) {
680 SSLContext.disableOcsp(ctx);
681 }
682
683 SSLContext.free(ctx);
684 ctx = 0;
685
686 OpenSslSessionContext context = sessionContext();
687 if (context != null) {
688 context.destroy();
689 }
690 }
691 } finally {
692 writerLock.unlock();
693 }
694 }
695
696 protected static X509Certificate[] certificates(byte[][] chain) {
697 X509Certificate[] peerCerts = new X509Certificate[chain.length];
698 for (int i = 0; i < peerCerts.length; i++) {
699 peerCerts[i] = new LazyX509Certificate(chain[i]);
700 }
701 return peerCerts;
702 }
703
704
705
706
707 @Deprecated
708 protected static X509TrustManager chooseTrustManager(TrustManager[] managers) {
709 return chooseTrustManager(managers, null);
710 }
711
712 static X509TrustManager chooseTrustManager(TrustManager[] managers,
713 ResumptionController resumptionController) {
714 for (TrustManager m : managers) {
715 if (m instanceof X509TrustManager) {
716 X509TrustManager tm = (X509TrustManager) m;
717 if (resumptionController != null) {
718 tm = (X509TrustManager) resumptionController.wrapIfNeeded(tm);
719 }
720 tm = OpenSslX509TrustManagerWrapper.wrapIfNeeded((X509TrustManager) m);
721 if (useExtendedTrustManager(tm)) {
722
723
724 tm = new EnhancingX509ExtendedTrustManager(tm);
725 }
726 return tm;
727 }
728 }
729 throw new IllegalStateException("no X509TrustManager found");
730 }
731
732 protected static X509KeyManager chooseX509KeyManager(KeyManager[] kms) {
733 for (KeyManager km : kms) {
734 if (km instanceof X509KeyManager) {
735 return (X509KeyManager) km;
736 }
737 }
738 throw new IllegalStateException("no X509KeyManager found");
739 }
740
741
742
743
744
745
746
747
748 @SuppressWarnings("deprecation")
749 static OpenSslApplicationProtocolNegotiator toNegotiator(ApplicationProtocolConfig config) {
750 if (config == null) {
751 return NONE_PROTOCOL_NEGOTIATOR;
752 }
753
754 switch (config.protocol()) {
755 case NONE:
756 return NONE_PROTOCOL_NEGOTIATOR;
757 case ALPN:
758 case NPN:
759 case NPN_AND_ALPN:
760 switch (config.selectedListenerFailureBehavior()) {
761 case CHOOSE_MY_LAST_PROTOCOL:
762 case ACCEPT:
763 switch (config.selectorFailureBehavior()) {
764 case CHOOSE_MY_LAST_PROTOCOL:
765 case NO_ADVERTISE:
766 return new OpenSslDefaultApplicationProtocolNegotiator(
767 config);
768 default:
769 throw new UnsupportedOperationException(
770 new StringBuilder("OpenSSL provider does not support ")
771 .append(config.selectorFailureBehavior())
772 .append(" behavior").toString());
773 }
774 default:
775 throw new UnsupportedOperationException(
776 new StringBuilder("OpenSSL provider does not support ")
777 .append(config.selectedListenerFailureBehavior())
778 .append(" behavior").toString());
779 }
780 default:
781 throw new Error();
782 }
783 }
784
785 static boolean useExtendedTrustManager(X509TrustManager trustManager) {
786 return trustManager instanceof X509ExtendedTrustManager;
787 }
788
789 @Override
790 public final int refCnt() {
791 return refCnt.refCnt();
792 }
793
794 @Override
795 public final ReferenceCounted retain() {
796 refCnt.retain();
797 return this;
798 }
799
800 @Override
801 public final ReferenceCounted retain(int increment) {
802 refCnt.retain(increment);
803 return this;
804 }
805
806 @Override
807 public final ReferenceCounted touch() {
808 refCnt.touch();
809 return this;
810 }
811
812 @Override
813 public final ReferenceCounted touch(Object hint) {
814 refCnt.touch(hint);
815 return this;
816 }
817
818 @Override
819 public final boolean release() {
820 return refCnt.release();
821 }
822
823 @Override
824 public final boolean release(int decrement) {
825 return refCnt.release(decrement);
826 }
827
828 abstract static class AbstractCertificateVerifier extends CertificateVerifier {
829 private final OpenSslEngineMap engineMap;
830
831 AbstractCertificateVerifier(OpenSslEngineMap engineMap) {
832 this.engineMap = engineMap;
833 }
834
835 @Override
836 public final int verify(long ssl, byte[][] chain, String auth) {
837 final ReferenceCountedOpenSslEngine engine = engineMap.get(ssl);
838 if (engine == null) {
839
840 return CertificateVerifier.X509_V_ERR_UNSPECIFIED;
841 }
842 X509Certificate[] peerCerts = certificates(chain);
843 try {
844 verify(engine, peerCerts, auth);
845 return CertificateVerifier.X509_V_OK;
846 } catch (Throwable cause) {
847 logger.debug("verification of certificate failed", cause);
848 engine.initHandshakeException(cause);
849
850
851 if (cause instanceof OpenSslCertificateException) {
852
853
854 return ((OpenSslCertificateException) cause).errorCode();
855 }
856 if (cause instanceof CertificateExpiredException) {
857 return CertificateVerifier.X509_V_ERR_CERT_HAS_EXPIRED;
858 }
859 if (cause instanceof CertificateNotYetValidException) {
860 return CertificateVerifier.X509_V_ERR_CERT_NOT_YET_VALID;
861 }
862 return translateToError(cause);
863 }
864 }
865
866 private static int translateToError(Throwable cause) {
867 if (cause instanceof CertificateRevokedException) {
868 return CertificateVerifier.X509_V_ERR_CERT_REVOKED;
869 }
870
871
872
873
874 Throwable wrapped = cause.getCause();
875 while (wrapped != null) {
876 if (wrapped instanceof CertPathValidatorException) {
877 CertPathValidatorException ex = (CertPathValidatorException) wrapped;
878 CertPathValidatorException.Reason reason = ex.getReason();
879 if (reason == CertPathValidatorException.BasicReason.EXPIRED) {
880 return CertificateVerifier.X509_V_ERR_CERT_HAS_EXPIRED;
881 }
882 if (reason == CertPathValidatorException.BasicReason.NOT_YET_VALID) {
883 return CertificateVerifier.X509_V_ERR_CERT_NOT_YET_VALID;
884 }
885 if (reason == CertPathValidatorException.BasicReason.REVOKED) {
886 return CertificateVerifier.X509_V_ERR_CERT_REVOKED;
887 }
888 }
889 wrapped = wrapped.getCause();
890 }
891 return CertificateVerifier.X509_V_ERR_UNSPECIFIED;
892 }
893
894 abstract void verify(ReferenceCountedOpenSslEngine engine, X509Certificate[] peerCerts,
895 String auth) throws Exception;
896 }
897
898 private static final class DefaultOpenSslEngineMap implements OpenSslEngineMap {
899 private final Map<Long, ReferenceCountedOpenSslEngine> engines = new ConcurrentHashMap<>();
900
901 @Override
902 public ReferenceCountedOpenSslEngine remove(long ssl) {
903 return engines.remove(ssl);
904 }
905
906 @Override
907 public void add(ReferenceCountedOpenSslEngine engine) {
908 engines.put(engine.sslPointer(), engine);
909 }
910
911 @Override
912 public ReferenceCountedOpenSslEngine get(long ssl) {
913 return engines.get(ssl);
914 }
915 }
916
917 static void setKeyMaterial(long ctx, X509Certificate[] keyCertChain, PrivateKey key, String keyPassword)
918 throws SSLException {
919
920 long keyBio = 0;
921 long keyCertChainBio = 0;
922 long keyCertChainBio2 = 0;
923 PemEncoded encoded = null;
924 try {
925
926 encoded = PemX509Certificate.toPEM(ByteBufAllocator.DEFAULT, true, keyCertChain);
927 keyCertChainBio = toBIO(ByteBufAllocator.DEFAULT, encoded.retain());
928 keyCertChainBio2 = toBIO(ByteBufAllocator.DEFAULT, encoded.retain());
929
930 if (key != null) {
931 keyBio = toBIO(ByteBufAllocator.DEFAULT, key);
932 }
933
934 SSLContext.setCertificateBio(
935 ctx, keyCertChainBio, keyBio,
936 keyPassword == null ? StringUtil.EMPTY_STRING : keyPassword);
937
938 SSLContext.setCertificateChainBio(ctx, keyCertChainBio2, true);
939 } catch (SSLException e) {
940 throw e;
941 } catch (Exception e) {
942 throw new SSLException("failed to set certificate and key", e);
943 } finally {
944 freeBio(keyBio);
945 freeBio(keyCertChainBio);
946 freeBio(keyCertChainBio2);
947 if (encoded != null) {
948 encoded.release();
949 }
950 }
951 }
952
953 static void freeBio(long bio) {
954 if (bio != 0) {
955 SSL.freeBIO(bio);
956 }
957 }
958
959
960
961
962
963 static long toBIO(ByteBufAllocator allocator, PrivateKey key) throws Exception {
964 if (key == null) {
965 return 0;
966 }
967
968 PemEncoded pem = PemPrivateKey.toPEM(allocator, true, key);
969 try {
970 return toBIO(allocator, pem.retain());
971 } finally {
972 pem.release();
973 }
974 }
975
976
977
978
979
980 static long toBIO(ByteBufAllocator allocator, X509Certificate... certChain) throws Exception {
981 if (certChain == null) {
982 return 0;
983 }
984
985 checkNonEmpty(certChain, "certChain");
986
987 PemEncoded pem = PemX509Certificate.toPEM(allocator, true, certChain);
988 try {
989 return toBIO(allocator, pem.retain());
990 } finally {
991 pem.release();
992 }
993 }
994
995 static long toBIO(ByteBufAllocator allocator, PemEncoded pem) throws Exception {
996 try {
997
998
999 ByteBuf content = pem.content();
1000
1001 if (content.isDirect()) {
1002 return newBIO(content.retainedSlice());
1003 }
1004
1005 ByteBuf buffer = allocator.directBuffer(content.readableBytes());
1006 try {
1007 buffer.writeBytes(content, content.readerIndex(), content.readableBytes());
1008 return newBIO(buffer.retainedSlice());
1009 } finally {
1010 try {
1011
1012
1013 if (pem.isSensitive()) {
1014 SslUtils.zeroout(buffer);
1015 }
1016 } finally {
1017 buffer.release();
1018 }
1019 }
1020 } finally {
1021 pem.release();
1022 }
1023 }
1024
1025 private static long newBIO(ByteBuf buffer) throws Exception {
1026 try {
1027 long bio = SSL.newMemBIO();
1028 int readable = buffer.readableBytes();
1029 if (SSL.bioWrite(bio, OpenSsl.memoryAddress(buffer) + buffer.readerIndex(), readable) != readable) {
1030 SSL.freeBIO(bio);
1031 throw new IllegalStateException("Could not write data to memory BIO");
1032 }
1033 return bio;
1034 } finally {
1035 buffer.release();
1036 }
1037 }
1038
1039
1040
1041
1042
1043
1044 static OpenSslKeyMaterialProvider providerFor(KeyManagerFactory factory, String password) {
1045 if (factory instanceof OpenSslX509KeyManagerFactory) {
1046 return ((OpenSslX509KeyManagerFactory) factory).newProvider();
1047 }
1048
1049 if (factory instanceof OpenSslCachingX509KeyManagerFactory) {
1050
1051 return ((OpenSslCachingX509KeyManagerFactory) factory).newProvider(password);
1052 }
1053
1054 return new OpenSslKeyMaterialProvider(chooseX509KeyManager(factory.getKeyManagers()), password);
1055 }
1056
1057 private static ReferenceCountedOpenSslEngine retrieveEngine(OpenSslEngineMap engineMap, long ssl)
1058 throws SSLException {
1059 ReferenceCountedOpenSslEngine engine = engineMap.get(ssl);
1060 if (engine == null) {
1061 throw new SSLException("Could not find a " +
1062 StringUtil.simpleClassName(ReferenceCountedOpenSslEngine.class) + " for sslPointer " + ssl);
1063 }
1064 return engine;
1065 }
1066
1067 private static final class PrivateKeyMethod implements SSLPrivateKeyMethod {
1068
1069 private final OpenSslEngineMap engineMap;
1070 private final OpenSslPrivateKeyMethod keyMethod;
1071 PrivateKeyMethod(OpenSslEngineMap engineMap, OpenSslPrivateKeyMethod keyMethod) {
1072 this.engineMap = engineMap;
1073 this.keyMethod = keyMethod;
1074 }
1075
1076 @Override
1077 public byte[] sign(long ssl, int signatureAlgorithm, byte[] digest) throws Exception {
1078 ReferenceCountedOpenSslEngine engine = retrieveEngine(engineMap, ssl);
1079 try {
1080 return verifyResult(keyMethod.sign(engine, signatureAlgorithm, digest));
1081 } catch (Exception e) {
1082 engine.initHandshakeException(e);
1083 throw e;
1084 }
1085 }
1086
1087 @Override
1088 public byte[] decrypt(long ssl, byte[] input) throws Exception {
1089 ReferenceCountedOpenSslEngine engine = retrieveEngine(engineMap, ssl);
1090 try {
1091 return verifyResult(keyMethod.decrypt(engine, input));
1092 } catch (Exception e) {
1093 engine.initHandshakeException(e);
1094 throw e;
1095 }
1096 }
1097 }
1098
1099 private static final class AsyncPrivateKeyMethod implements AsyncSSLPrivateKeyMethod {
1100
1101 private final OpenSslEngineMap engineMap;
1102 private final OpenSslAsyncPrivateKeyMethod keyMethod;
1103
1104 AsyncPrivateKeyMethod(OpenSslEngineMap engineMap, OpenSslAsyncPrivateKeyMethod keyMethod) {
1105 this.engineMap = engineMap;
1106 this.keyMethod = keyMethod;
1107 }
1108
1109 @Override
1110 public void sign(long ssl, int signatureAlgorithm, byte[] bytes, ResultCallback<byte[]> resultCallback) {
1111 try {
1112 ReferenceCountedOpenSslEngine engine = retrieveEngine(engineMap, ssl);
1113 keyMethod.sign(engine, signatureAlgorithm, bytes)
1114 .addListener(new ResultCallbackListener(engine, ssl, resultCallback));
1115 } catch (SSLException e) {
1116 resultCallback.onError(ssl, e);
1117 }
1118 }
1119
1120 @Override
1121 public void decrypt(long ssl, byte[] bytes, ResultCallback<byte[]> resultCallback) {
1122 try {
1123 ReferenceCountedOpenSslEngine engine = retrieveEngine(engineMap, ssl);
1124 keyMethod.decrypt(engine, bytes)
1125 .addListener(new ResultCallbackListener(engine, ssl, resultCallback));
1126 } catch (SSLException e) {
1127 resultCallback.onError(ssl, e);
1128 }
1129 }
1130
1131 private static final class ResultCallbackListener implements FutureListener<byte[]> {
1132 private final ReferenceCountedOpenSslEngine engine;
1133 private final long ssl;
1134 private final ResultCallback<byte[]> resultCallback;
1135
1136 ResultCallbackListener(ReferenceCountedOpenSslEngine engine, long ssl,
1137 ResultCallback<byte[]> resultCallback) {
1138 this.engine = engine;
1139 this.ssl = ssl;
1140 this.resultCallback = resultCallback;
1141 }
1142
1143 @Override
1144 public void operationComplete(Future<byte[]> future) {
1145 Throwable cause = future.cause();
1146 if (cause == null) {
1147 try {
1148 byte[] result = verifyResult(future.getNow());
1149 resultCallback.onSuccess(ssl, result);
1150 return;
1151 } catch (SignatureException e) {
1152 cause = e;
1153 engine.initHandshakeException(e);
1154 }
1155 }
1156 resultCallback.onError(ssl, cause);
1157 }
1158 }
1159 }
1160
1161 private static byte[] verifyResult(byte[] result) throws SignatureException {
1162 if (result == null) {
1163 throw new SignatureException();
1164 }
1165 return result;
1166 }
1167
1168 private static final class CompressionAlgorithm implements CertificateCompressionAlgo {
1169 private final OpenSslEngineMap engineMap;
1170 private final OpenSslCertificateCompressionAlgorithm compressionAlgorithm;
1171
1172 CompressionAlgorithm(OpenSslEngineMap engineMap, OpenSslCertificateCompressionAlgorithm compressionAlgorithm) {
1173 this.engineMap = engineMap;
1174 this.compressionAlgorithm = compressionAlgorithm;
1175 }
1176
1177 @Override
1178 public byte[] compress(long ssl, byte[] bytes) throws Exception {
1179 ReferenceCountedOpenSslEngine engine = retrieveEngine(engineMap, ssl);
1180 return compressionAlgorithm.compress(engine, bytes);
1181 }
1182
1183 @Override
1184 public byte[] decompress(long ssl, int len, byte[] bytes) throws Exception {
1185 ReferenceCountedOpenSslEngine engine = retrieveEngine(engineMap, ssl);
1186 return compressionAlgorithm.decompress(engine, len, bytes);
1187 }
1188
1189 @Override
1190 public int algorithmId() {
1191 return compressionAlgorithm.algorithmId();
1192 }
1193 }
1194 }