OpenSslEngine with no finalizer

Motivation:
OpenSslEngine and OpenSslContext currently rely on finalizers to ensure that native resources are cleaned up. Finalizers require the GC to do extra work, and this extra work can be avoided if the user instead takes responsibility of releasing the native resources.

Modifications:
- Make a base class for OpenSslENgine and OpenSslContext which does not have a finalizer but instead implements ReferenceCounted. If this engine is inserted into the pipeline it will be released by the SslHandler
- Add a new SslProvider which can be used to enable this new feature

Result:
Users can opt-in to a finalizer free OpenSslEngine and OpenSslContext.
Fixes https://github.com/netty/netty/issues/4958
This commit is contained in:
Scott Mitchell 2016-07-14 22:00:58 -07:00
parent 3fa8f31055
commit 7d774584c8
21 changed files with 3403 additions and 2867 deletions

View File

@ -15,34 +15,25 @@
*/ */
package io.netty.handler.ssl; package io.netty.handler.ssl;
import io.netty.util.internal.logging.InternalLogger;
import io.netty.util.internal.logging.InternalLoggerFactory;
import org.apache.tomcat.jni.CertificateRequestedCallback;
import org.apache.tomcat.jni.SSL; import org.apache.tomcat.jni.SSL;
import org.apache.tomcat.jni.SSLContext;
import java.io.File;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLException; import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager; import static io.netty.handler.ssl.ReferenceCountedOpenSslClientContext.newSessionContext;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import java.io.File;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.Set;
/** /**
* A client-side {@link SslContext} which uses OpenSSL's SSL/TLS implementation. * A client-side {@link SslContext} which uses OpenSSL's SSL/TLS implementation.
* <p>This class will use a finalizer to ensure native resources are automatically cleaned up. To avoid finalizers
* and manually release the native memory see {@link ReferenceCountedOpenSslClientContext}.
*/ */
public final class OpenSslClientContext extends OpenSslContext { public final class OpenSslClientContext extends OpenSslContext {
private static final InternalLogger logger = InternalLoggerFactory.getInstance(OpenSslClientContext.class);
private final OpenSslSessionContext sessionContext; private final OpenSslSessionContext sessionContext;
/** /**
@ -187,7 +178,6 @@ public final class OpenSslClientContext extends OpenSslContext {
keyPassword, keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout); keyPassword, keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
} }
@SuppressWarnings("deprecation")
OpenSslClientContext(X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory, OpenSslClientContext(X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, X509Certificate[] keyCertChain, PrivateKey key, String keyPassword,
KeyManagerFactory keyManagerFactory, Iterable<String> ciphers, KeyManagerFactory keyManagerFactory, Iterable<String> ciphers,
@ -198,73 +188,12 @@ public final class OpenSslClientContext extends OpenSslContext {
ClientAuth.NONE); ClientAuth.NONE);
boolean success = false; boolean success = false;
try { try {
if (key == null && keyCertChain != null || key != null && keyCertChain == null) { sessionContext = newSessionContext(this, ctx, engineMap, trustCertCollection, trustManagerFactory,
throw new IllegalArgumentException( keyCertChain, key, keyPassword, keyManagerFactory);
"Either both keyCertChain and key needs to be null or none of them");
}
synchronized (OpenSslContext.class) {
try {
if (!OpenSsl.useKeyManagerFactory()) {
if (keyManagerFactory != null) {
throw new IllegalArgumentException(
"KeyManagerFactory not supported");
}
if (keyCertChain != null && key != null) {
setKeyMaterial(ctx, keyCertChain, key, keyPassword);
}
} else {
if (keyCertChain != null) {
keyManagerFactory = buildKeyManagerFactory(
keyCertChain, key, keyPassword, keyManagerFactory);
}
if (keyManagerFactory != null) {
X509KeyManager keyManager = chooseX509KeyManager(keyManagerFactory.getKeyManagers());
OpenSslKeyMaterialManager materialManager = useExtendedKeyManager(keyManager) ?
new OpenSslExtendedKeyMaterialManager(
(X509ExtendedKeyManager) keyManager, keyPassword) :
new OpenSslKeyMaterialManager(keyManager, keyPassword);
SSLContext.setCertRequestedCallback(ctx, new OpenSslCertificateRequestedCallback(
engineMap, materialManager));
}
}
} catch (Exception e) {
throw new SSLException("failed to set certificate and key", e);
}
SSLContext.setVerify(ctx, SSL.SSL_VERIFY_NONE, VERIFY_DEPTH);
try {
if (trustCertCollection != null) {
trustManagerFactory = buildTrustManagerFactory(trustCertCollection, trustManagerFactory);
} else if (trustManagerFactory == null) {
trustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
}
final X509TrustManager manager = chooseTrustManager(trustManagerFactory.getTrustManagers());
// IMPORTANT: The callbacks set for verification must be static to prevent memory leak as
// otherwise the context can never be collected. This is because the JNI code holds
// a global reference to the callbacks.
//
// See https://github.com/netty/netty/issues/5372
// Use this to prevent an error when running on java < 7
if (useExtendedTrustManager(manager)) {
SSLContext.setCertVerifyCallback(ctx,
new ExtendedTrustManagerVerifyCallback(engineMap, (X509ExtendedTrustManager) manager));
} else {
SSLContext.setCertVerifyCallback(ctx, new TrustManagerVerifyCallback(engineMap, manager));
}
} catch (Exception e) {
throw new SSLException("unable to setup trustmanager", e);
}
}
sessionContext = new OpenSslClientSessionContext(this);
success = true; success = true;
} finally { } finally {
if (!success) { if (!success) {
destroy(); release();
} }
} }
} }
@ -278,148 +207,4 @@ public final class OpenSslClientContext extends OpenSslContext {
OpenSslKeyMaterialManager keyMaterialManager() { OpenSslKeyMaterialManager keyMaterialManager() {
return null; return null;
} }
// No cache is currently supported for client side mode.
private static final class OpenSslClientSessionContext extends OpenSslSessionContext {
private OpenSslClientSessionContext(OpenSslContext context) {
super(context);
}
@Override
public void setSessionTimeout(int seconds) {
if (seconds < 0) {
throw new IllegalArgumentException();
}
}
@Override
public int getSessionTimeout() {
return 0;
}
@Override
public void setSessionCacheSize(int size) {
if (size < 0) {
throw new IllegalArgumentException();
}
}
@Override
public int getSessionCacheSize() {
return 0;
}
@Override
public void setSessionCacheEnabled(boolean enabled) {
// ignored
}
@Override
public boolean isSessionCacheEnabled() {
return false;
}
}
private static final class TrustManagerVerifyCallback extends AbstractCertificateVerifier {
private final X509TrustManager manager;
TrustManagerVerifyCallback(OpenSslEngineMap engineMap, X509TrustManager manager) {
super(engineMap);
this.manager = manager;
}
@Override
void verify(OpenSslEngine engine, X509Certificate[] peerCerts, String auth)
throws Exception {
manager.checkServerTrusted(peerCerts, auth);
}
}
private static final class ExtendedTrustManagerVerifyCallback extends AbstractCertificateVerifier {
private final X509ExtendedTrustManager manager;
ExtendedTrustManagerVerifyCallback(OpenSslEngineMap engineMap, X509ExtendedTrustManager manager) {
super(engineMap);
this.manager = manager;
}
@Override
void verify(OpenSslEngine engine, X509Certificate[] peerCerts, String auth)
throws Exception {
manager.checkServerTrusted(peerCerts, auth, engine);
}
}
private static final class OpenSslCertificateRequestedCallback implements CertificateRequestedCallback {
private final OpenSslEngineMap engineMap;
private final OpenSslKeyMaterialManager keyManagerHolder;
OpenSslCertificateRequestedCallback(OpenSslEngineMap engineMap, OpenSslKeyMaterialManager keyManagerHolder) {
this.engineMap = engineMap;
this.keyManagerHolder = keyManagerHolder;
}
@Override
public void requested(long ssl, byte[] keyTypeBytes, byte[][] asn1DerEncodedPrincipals) {
final OpenSslEngine engine = engineMap.get(ssl);
try {
final Set<String> keyTypesSet = supportedClientKeyTypes(keyTypeBytes);
final String[] keyTypes = keyTypesSet.toArray(new String[keyTypesSet.size()]);
final X500Principal[] issuers;
if (asn1DerEncodedPrincipals == null) {
issuers = null;
} else {
issuers = new X500Principal[asn1DerEncodedPrincipals.length];
for (int i = 0; i < asn1DerEncodedPrincipals.length; i++) {
issuers[i] = new X500Principal(asn1DerEncodedPrincipals[i]);
}
}
keyManagerHolder.setKeyMaterial(engine, keyTypes, issuers);
} catch (Throwable cause) {
logger.debug("request of key failed", cause);
SSLHandshakeException e = new SSLHandshakeException("General OpenSslEngine problem");
e.initCause(cause);
engine.handshakeException = e;
}
}
/**
* Gets the supported key types for client certificates.
*
* @param clientCertificateTypes {@code ClientCertificateType} values provided by the server.
* See https://www.ietf.org/assignments/tls-parameters/tls-parameters.xml.
* @return supported key types that can be used in {@code X509KeyManager.chooseClientAlias} and
* {@code X509ExtendedKeyManager.chooseEngineClientAlias}.
*/
private static Set<String> supportedClientKeyTypes(byte[] clientCertificateTypes) {
Set<String> result = new HashSet<String>(clientCertificateTypes.length);
for (byte keyTypeCode : clientCertificateTypes) {
String keyType = clientKeyType(keyTypeCode);
if (keyType == null) {
// Unsupported client key type -- ignore
continue;
}
result.add(keyType);
}
return result;
}
private static String clientKeyType(byte clientCertificateType) {
// See also http://www.ietf.org/assignments/tls-parameters/tls-parameters.xml
switch (clientCertificateType) {
case CertificateRequestedCallback.TLS_CT_RSA_SIGN:
return OpenSslKeyMaterialManager.KEY_TYPE_RSA; // RFC rsa_sign
case CertificateRequestedCallback.TLS_CT_RSA_FIXED_DH:
return OpenSslKeyMaterialManager.KEY_TYPE_DH_RSA; // RFC rsa_fixed_dh
case CertificateRequestedCallback.TLS_CT_ECDSA_SIGN:
return OpenSslKeyMaterialManager.KEY_TYPE_EC; // RFC ecdsa_sign
case CertificateRequestedCallback.TLS_CT_RSA_FIXED_ECDH:
return OpenSslKeyMaterialManager.KEY_TYPE_EC_RSA; // RFC rsa_fixed_ecdh
case CertificateRequestedCallback.TLS_CT_ECDSA_FIXED_ECDH:
return OpenSslKeyMaterialManager.KEY_TYPE_EC_EC; // RFC ecdsa_fixed_ecdh
default:
return null;
}
}
}
} }

View File

@ -15,661 +15,46 @@
*/ */
package io.netty.handler.ssl; package io.netty.handler.ssl;
import io.netty.buffer.ByteBuf;
import io.netty.buffer.ByteBufAllocator; import io.netty.buffer.ByteBufAllocator;
import io.netty.util.internal.PlatformDependent;
import io.netty.util.internal.StringUtil;
import io.netty.util.internal.SystemPropertyUtil;
import io.netty.util.internal.logging.InternalLogger; import io.netty.util.internal.logging.InternalLogger;
import io.netty.util.internal.logging.InternalLoggerFactory; import io.netty.util.internal.logging.InternalLoggerFactory;
import org.apache.tomcat.jni.CertificateVerifier;
import org.apache.tomcat.jni.Pool;
import org.apache.tomcat.jni.SSL;
import org.apache.tomcat.jni.SSLContext;
import javax.net.ssl.KeyManager; import java.security.cert.Certificate;
import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException; import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import java.security.AccessController;
import java.security.PrivateKey;
import java.security.PrivilegedAction;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateRevokedException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import static io.netty.util.internal.ObjectUtil.checkNotNull; import static io.netty.util.ReferenceCountUtil.safeRelease;
import static io.netty.handler.ssl.ApplicationProtocolConfig.SelectorFailureBehavior;
import static io.netty.handler.ssl.ApplicationProtocolConfig.SelectedListenerFailureBehavior;
public abstract class OpenSslContext extends SslContext {
private static final InternalLogger logger = InternalLoggerFactory.getInstance(OpenSslContext.class);
/**
* To make it easier for users to replace JDK implemention with OpenSsl version we also use
* {@code jdk.tls.rejectClientInitiatedRenegotiation} to allow disabling client initiated renegotiation.
* Java8+ uses this system property as well.
* <p>
* See also <a href="http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html">
* Significant SSL/TLS improvements in Java 8</a>
*/
private static final boolean JDK_REJECT_CLIENT_INITIATED_RENEGOTIATION =
SystemPropertyUtil.getBoolean("jdk.tls.rejectClientInitiatedRenegotiation", false);
private static final List<String> DEFAULT_CIPHERS;
private static final Integer DH_KEY_LENGTH;
// TODO: Maybe make configurable ?
protected static final int VERIFY_DEPTH = 10;
/**
* The OpenSSL SSL_CTX object
*/
protected volatile long ctx;
long aprPool;
@SuppressWarnings({ "unused", "FieldMayBeFinal" })
private volatile int aprPoolDestroyed;
private final List<String> unmodifiableCiphers;
private final long sessionCacheSize;
private final long sessionTimeout;
private final OpenSslApplicationProtocolNegotiator apn;
private final int mode;
final Certificate[] keyCertChain;
final ClientAuth clientAuth;
final OpenSslEngineMap engineMap = new DefaultOpenSslEngineMap();
volatile boolean rejectRemoteInitiatedRenegotiation;
static final OpenSslApplicationProtocolNegotiator NONE_PROTOCOL_NEGOTIATOR =
new OpenSslApplicationProtocolNegotiator() {
@Override
public ApplicationProtocolConfig.Protocol protocol() {
return ApplicationProtocolConfig.Protocol.NONE;
}
@Override
public List<String> protocols() {
return Collections.emptyList();
}
@Override
public SelectorFailureBehavior selectorFailureBehavior() {
return SelectorFailureBehavior.CHOOSE_MY_LAST_PROTOCOL;
}
@Override
public SelectedListenerFailureBehavior selectedListenerFailureBehavior() {
return SelectedListenerFailureBehavior.ACCEPT;
}
};
static {
List<String> ciphers = new ArrayList<String>();
// XXX: Make sure to sync this list with JdkSslEngineFactory.
Collections.addAll(
ciphers,
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-SHA",
"ECDHE-RSA-AES256-SHA",
"AES128-GCM-SHA256",
"AES128-SHA",
"AES256-SHA",
"DES-CBC3-SHA");
DEFAULT_CIPHERS = Collections.unmodifiableList(ciphers);
if (logger.isDebugEnabled()) {
logger.debug("Default cipher suite (OpenSSL): " + ciphers);
}
Integer dhLen = null;
try {
String dhKeySize = AccessController.doPrivileged(new PrivilegedAction<String>() {
@Override
public String run() {
return SystemPropertyUtil.get("jdk.tls.ephemeralDHKeySize");
}
});
if (dhKeySize != null) {
try {
dhLen = Integer.parseInt(dhKeySize);
} catch (NumberFormatException e) {
logger.debug("OpenSslContext only support -Djdk.tls.ephemeralDHKeySize={int}, but got: "
+ dhKeySize);
}
}
} catch (Throwable ignore) {
// ignore
}
DH_KEY_LENGTH = dhLen;
}
/**
* This class will use a finalizer to ensure native resources are automatically cleaned up. To avoid finalizers
* and manually release the native memory see {@link ReferenceCountedOpenSslContext}.
*/
public abstract class OpenSslContext extends ReferenceCountedOpenSslContext {
OpenSslContext(Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apnCfg, OpenSslContext(Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apnCfg,
long sessionCacheSize, long sessionTimeout, int mode, Certificate[] keyCertChain, long sessionCacheSize, long sessionTimeout, int mode, Certificate[] keyCertChain,
ClientAuth clientAuth) ClientAuth clientAuth)
throws SSLException { throws SSLException {
this(ciphers, cipherFilter, toNegotiator(apnCfg), sessionCacheSize, sessionTimeout, mode, keyCertChain, super(ciphers, cipherFilter, apnCfg, sessionCacheSize, sessionTimeout, mode, keyCertChain,
clientAuth); clientAuth, false);
} }
OpenSslContext(Iterable<String> ciphers, CipherSuiteFilter cipherFilter, OpenSslContext(Iterable<String> ciphers, CipherSuiteFilter cipherFilter,
OpenSslApplicationProtocolNegotiator apn, long sessionCacheSize, OpenSslApplicationProtocolNegotiator apn, long sessionCacheSize,
long sessionTimeout, int mode, Certificate[] keyCertChain, long sessionTimeout, int mode, Certificate[] keyCertChain,
ClientAuth clientAuth) throws SSLException { ClientAuth clientAuth) throws SSLException {
OpenSsl.ensureAvailability(); super(ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout, mode, keyCertChain, clientAuth, false);
if (mode != SSL.SSL_MODE_SERVER && mode != SSL.SSL_MODE_CLIENT) {
throw new IllegalArgumentException("mode most be either SSL.SSL_MODE_SERVER or SSL.SSL_MODE_CLIENT");
}
this.mode = mode;
this.clientAuth = isServer() ? checkNotNull(clientAuth, "clientAuth") : ClientAuth.NONE;
if (mode == SSL.SSL_MODE_SERVER) {
rejectRemoteInitiatedRenegotiation =
JDK_REJECT_CLIENT_INITIATED_RENEGOTIATION;
}
this.keyCertChain = keyCertChain == null ? null : keyCertChain.clone();
final List<String> convertedCiphers;
if (ciphers == null) {
convertedCiphers = null;
} else {
convertedCiphers = new ArrayList<String>();
for (String c : ciphers) {
if (c == null) {
break;
}
String converted = CipherSuiteConverter.toOpenSsl(c);
if (converted != null) {
c = converted;
}
convertedCiphers.add(c);
}
}
unmodifiableCiphers = Arrays.asList(checkNotNull(cipherFilter, "cipherFilter").filterCipherSuites(
convertedCiphers, DEFAULT_CIPHERS, OpenSsl.availableCipherSuites()));
this.apn = checkNotNull(apn, "apn");
// Allocate a new APR pool.
aprPool = Pool.create(0);
// Create a new SSL_CTX and configure it.
boolean success = false;
try {
synchronized (OpenSslContext.class) {
try {
ctx = SSLContext.make(aprPool, SSL.SSL_PROTOCOL_ALL, mode);
} catch (Exception e) {
throw new SSLException("failed to create an SSL_CTX", e);
}
SSLContext.setOptions(ctx, SSL.SSL_OP_ALL);
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SSLv2);
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SSLv3);
SSLContext.setOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
SSLContext.setOptions(ctx, SSL.SSL_OP_SINGLE_ECDH_USE);
SSLContext.setOptions(ctx, SSL.SSL_OP_SINGLE_DH_USE);
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
// Disable ticket support by default to be more inline with SSLEngineImpl of the JDK.
// This also let SSLSession.getId() work the same way for the JDK implementation and the OpenSSLEngine.
// If tickets are supported SSLSession.getId() will only return an ID on the server-side if it could
// make use of tickets.
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_TICKET);
// We need to enable SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER as the memory address may change between
// calling OpenSSLEngine.wrap(...).
// See https://github.com/netty/netty-tcnative/issues/100
SSLContext.setMode(ctx, SSLContext.getMode(ctx) | SSL.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
if (DH_KEY_LENGTH != null) {
SSLContext.setTmpDHLength(ctx, DH_KEY_LENGTH);
}
/* List the ciphers that are permitted to negotiate. */
try {
SSLContext.setCipherSuite(ctx, CipherSuiteConverter.toOpenSsl(unmodifiableCiphers));
} catch (SSLException e) {
throw e;
} catch (Exception e) {
throw new SSLException("failed to set cipher suite: " + unmodifiableCiphers, e);
}
List<String> nextProtoList = apn.protocols();
/* Set next protocols for next protocol negotiation extension, if specified */
if (!nextProtoList.isEmpty()) {
String[] protocols = nextProtoList.toArray(new String[nextProtoList.size()]);
int selectorBehavior = opensslSelectorFailureBehavior(apn.selectorFailureBehavior());
switch (apn.protocol()) {
case NPN:
SSLContext.setNpnProtos(ctx, protocols, selectorBehavior);
break;
case ALPN:
SSLContext.setAlpnProtos(ctx, protocols, selectorBehavior);
break;
case NPN_AND_ALPN:
SSLContext.setNpnProtos(ctx, protocols, selectorBehavior);
SSLContext.setAlpnProtos(ctx, protocols, selectorBehavior);
break;
default:
throw new Error();
}
}
/* Set session cache size, if specified */
if (sessionCacheSize > 0) {
this.sessionCacheSize = sessionCacheSize;
SSLContext.setSessionCacheSize(ctx, sessionCacheSize);
} else {
// Get the default session cache size using SSLContext.setSessionCacheSize()
this.sessionCacheSize = sessionCacheSize = SSLContext.setSessionCacheSize(ctx, 20480);
// Revert the session cache size to the default value.
SSLContext.setSessionCacheSize(ctx, sessionCacheSize);
}
/* Set session timeout, if specified */
if (sessionTimeout > 0) {
this.sessionTimeout = sessionTimeout;
SSLContext.setSessionCacheTimeout(ctx, sessionTimeout);
} else {
// Get the default session timeout using SSLContext.setSessionCacheTimeout()
this.sessionTimeout = sessionTimeout = SSLContext.setSessionCacheTimeout(ctx, 300);
// Revert the session timeout to the default value.
SSLContext.setSessionCacheTimeout(ctx, sessionTimeout);
}
}
success = true;
} finally {
if (!success) {
destroy();
}
}
}
private static int opensslSelectorFailureBehavior(SelectorFailureBehavior behavior) {
switch (behavior) {
case NO_ADVERTISE:
return SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE;
case CHOOSE_MY_LAST_PROTOCOL:
return SSL.SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL;
default:
throw new Error();
}
} }
@Override @Override
public final List<String> cipherSuites() { final SSLEngine newEngine0(ByteBufAllocator alloc, String peerHost, int peerPort) {
return unmodifiableCiphers;
}
@Override
public final long sessionCacheSize() {
return sessionCacheSize;
}
@Override
public final long sessionTimeout() {
return sessionTimeout;
}
@Override
public ApplicationProtocolNegotiator applicationProtocolNegotiator() {
return apn;
}
@Override
public final boolean isClient() {
return mode == SSL.SSL_MODE_CLIENT;
}
@Override
public final SSLEngine newEngine(ByteBufAllocator alloc, String peerHost, int peerPort) {
return new OpenSslEngine(this, alloc, peerHost, peerPort); return new OpenSslEngine(this, alloc, peerHost, peerPort);
} }
abstract OpenSslKeyMaterialManager keyMaterialManager();
/**
* Returns a new server-side {@link SSLEngine} with the current configuration.
*/
@Override
public final SSLEngine newEngine(ByteBufAllocator alloc) {
return newEngine(alloc, null, -1);
}
/**
* Returns the pointer to the {@code SSL_CTX} object for this {@link OpenSslContext}.
* Be aware that it is freed as soon as the {@link #finalize()} method is called.
* At this point {@code 0} will be returned.
*
* @deprecated use {@link #sslCtxPointer()}
*/
@Deprecated
public final long context() {
return ctx;
}
/**
* Returns the stats of this context.
*
* @deprecated use {@link #sessionContext#stats()}
*/
@Deprecated
public final OpenSslSessionStats stats() {
return sessionContext().stats();
}
/**
* Specify if remote initiated renegotiation is supported or not. If not supported and the remote side tries
* to initiate a renegotiation a {@link SSLHandshakeException} will be thrown during decoding.
*/
public void setRejectRemoteInitiatedRenegotiation(boolean rejectRemoteInitiatedRenegotiation) {
this.rejectRemoteInitiatedRenegotiation = rejectRemoteInitiatedRenegotiation;
}
@Override @Override
@SuppressWarnings("FinalizeDeclaration") @SuppressWarnings("FinalizeDeclaration")
protected final void finalize() throws Throwable { protected final void finalize() throws Throwable {
super.finalize(); super.finalize();
destroy(); safeRelease(this);
}
/**
* Sets the SSL session ticket keys of this context.
*
* @deprecated use {@link OpenSslSessionContext#setTicketKeys(byte[])}
*/
@Deprecated
public final void setTicketKeys(byte[] keys) {
sessionContext().setTicketKeys(keys);
}
@Override
public abstract OpenSslSessionContext sessionContext();
/**
* Returns the pointer to the {@code SSL_CTX} object for this {@link OpenSslContext}.
* Be aware that it is freed as soon as the {@link #finalize()} method is called.
* At this point {@code 0} will be returned.
*/
public final long sslCtxPointer() {
return ctx;
}
// IMPORTANT: This method must only be called from either the constructor or the finalizer as a user MUST never
// get access to an OpenSslSessionContext after this method was called to prevent the user from
// producing a segfault.
final void destroy() {
synchronized (OpenSslContext.class) {
if (ctx != 0) {
SSLContext.free(ctx);
ctx = 0;
}
// Guard against multiple destroyPools() calls triggered by construction exception and finalize() later
if (aprPool != 0) {
Pool.destroy(aprPool);
aprPool = 0;
}
}
}
protected static X509Certificate[] certificates(byte[][] chain) {
X509Certificate[] peerCerts = new X509Certificate[chain.length];
for (int i = 0; i < peerCerts.length; i++) {
peerCerts[i] = new OpenSslX509Certificate(chain[i]);
}
return peerCerts;
}
protected static X509TrustManager chooseTrustManager(TrustManager[] managers) {
for (TrustManager m : managers) {
if (m instanceof X509TrustManager) {
return (X509TrustManager) m;
}
}
throw new IllegalStateException("no X509TrustManager found");
}
protected static X509KeyManager chooseX509KeyManager(KeyManager[] kms) {
for (KeyManager km : kms) {
if (km instanceof X509KeyManager) {
return (X509KeyManager) km;
}
}
throw new IllegalStateException("no X509KeyManager found");
}
/**
* Translate a {@link ApplicationProtocolConfig} object to a
* {@link OpenSslApplicationProtocolNegotiator} object.
*
* @param config The configuration which defines the translation
* @return The results of the translation
*/
static OpenSslApplicationProtocolNegotiator toNegotiator(ApplicationProtocolConfig config) {
if (config == null) {
return NONE_PROTOCOL_NEGOTIATOR;
}
switch (config.protocol()) {
case NONE:
return NONE_PROTOCOL_NEGOTIATOR;
case ALPN:
case NPN:
case NPN_AND_ALPN:
switch (config.selectedListenerFailureBehavior()) {
case CHOOSE_MY_LAST_PROTOCOL:
case ACCEPT:
switch (config.selectorFailureBehavior()) {
case CHOOSE_MY_LAST_PROTOCOL:
case NO_ADVERTISE:
return new OpenSslDefaultApplicationProtocolNegotiator(
config);
default:
throw new UnsupportedOperationException(
new StringBuilder("OpenSSL provider does not support ")
.append(config.selectorFailureBehavior())
.append(" behavior").toString());
}
default:
throw new UnsupportedOperationException(
new StringBuilder("OpenSSL provider does not support ")
.append(config.selectedListenerFailureBehavior())
.append(" behavior").toString());
}
default:
throw new Error();
}
}
static boolean useExtendedTrustManager(X509TrustManager trustManager) {
return PlatformDependent.javaVersion() >= 7 && trustManager instanceof X509ExtendedTrustManager;
}
static boolean useExtendedKeyManager(X509KeyManager keyManager) {
return PlatformDependent.javaVersion() >= 7 && keyManager instanceof X509ExtendedKeyManager;
}
abstract static class AbstractCertificateVerifier implements CertificateVerifier {
private final OpenSslEngineMap engineMap;
AbstractCertificateVerifier(OpenSslEngineMap engineMap) {
this.engineMap = engineMap;
}
@Override
public final int verify(long ssl, byte[][] chain, String auth) {
X509Certificate[] peerCerts = certificates(chain);
final OpenSslEngine engine = engineMap.get(ssl);
try {
verify(engine, peerCerts, auth);
return CertificateVerifier.X509_V_OK;
} catch (Throwable cause) {
logger.debug("verification of certificate failed", cause);
SSLHandshakeException e = new SSLHandshakeException("General OpenSslEngine problem");
e.initCause(cause);
engine.handshakeException = e;
if (cause instanceof OpenSslCertificateException) {
return ((OpenSslCertificateException) cause).errorCode();
}
if (cause instanceof CertificateExpiredException) {
return CertificateVerifier.X509_V_ERR_CERT_HAS_EXPIRED;
}
if (cause instanceof CertificateNotYetValidException) {
return CertificateVerifier.X509_V_ERR_CERT_NOT_YET_VALID;
}
if (PlatformDependent.javaVersion() >= 7 && cause instanceof CertificateRevokedException) {
return CertificateVerifier.X509_V_ERR_CERT_REVOKED;
}
return CertificateVerifier.X509_V_ERR_UNSPECIFIED;
}
}
abstract void verify(OpenSslEngine engine, X509Certificate[] peerCerts, String auth) throws Exception;
}
private static final class DefaultOpenSslEngineMap implements OpenSslEngineMap {
private final Map<Long, OpenSslEngine> engines = PlatformDependent.newConcurrentHashMap();
@Override
public OpenSslEngine remove(long ssl) {
return engines.remove(ssl);
}
@Override
public void add(OpenSslEngine engine) {
engines.put(engine.sslPointer(), engine);
}
@Override
public OpenSslEngine get(long ssl) {
return engines.get(ssl);
}
}
static void setKeyMaterial(long ctx, X509Certificate[] keyCertChain, PrivateKey key, String keyPassword)
throws SSLException {
/* Load the certificate file and private key. */
long keyBio = 0;
long keyCertChainBio = 0;
try {
keyCertChainBio = toBIO(keyCertChain);
keyBio = toBIO(key);
SSLContext.setCertificateBio(
ctx, keyCertChainBio, keyBio,
keyPassword == null ? StringUtil.EMPTY_STRING : keyPassword, SSL.SSL_AIDX_RSA);
// We may have more then one cert in the chain so add all of them now.
SSLContext.setCertificateChainBio(ctx, keyCertChainBio, false);
} catch (SSLException e) {
throw e;
} catch (Exception e) {
throw new SSLException("failed to set certificate and key", e);
} finally {
if (keyBio != 0) {
SSL.freeBIO(keyBio);
}
if (keyCertChainBio != 0) {
SSL.freeBIO(keyCertChainBio);
}
}
}
/**
* Return the pointer to a <a href="https://www.openssl.org/docs/crypto/BIO_get_mem_ptr.html">in-memory BIO</a>
* or {@code 0} if the {@code key} is {@code null}. The BIO contains the content of the {@code key}.
*/
static long toBIO(PrivateKey key) throws Exception {
if (key == null) {
return 0;
}
ByteBufAllocator allocator = ByteBufAllocator.DEFAULT;
PemEncoded pem = PemPrivateKey.toPEM(allocator, true, key);
try {
return toBIO(allocator, pem.retain());
} finally {
pem.release();
}
}
/**
* Return the pointer to a <a href="https://www.openssl.org/docs/crypto/BIO_get_mem_ptr.html">in-memory BIO</a>
* or {@code 0} if the {@code certChain} is {@code null}. The BIO contains the content of the {@code certChain}.
*/
static long toBIO(X509Certificate... certChain) throws Exception {
if (certChain == null) {
return 0;
}
if (certChain.length == 0) {
throw new IllegalArgumentException("certChain can't be empty");
}
ByteBufAllocator allocator = ByteBufAllocator.DEFAULT;
PemEncoded pem = PemX509Certificate.toPEM(allocator, true, certChain);
try {
return toBIO(allocator, pem.retain());
} finally {
pem.release();
}
}
private static long toBIO(ByteBufAllocator allocator, PemEncoded pem) throws Exception {
try {
// We can turn direct buffers straight into BIOs. No need to
// make a yet another copy.
ByteBuf content = pem.content();
if (content.isDirect()) {
return newBIO(content.retainedSlice());
}
ByteBuf buffer = allocator.directBuffer(content.readableBytes());
try {
buffer.writeBytes(content, content.readerIndex(), content.readableBytes());
return newBIO(buffer.retainedSlice());
} finally {
try {
// If the contents of the ByteBuf is sensitive (e.g. a PrivateKey) we
// need to zero out the bytes of the copy before we're releasing it.
if (pem.isSensitive()) {
SslUtils.zeroout(buffer);
}
} finally {
buffer.release();
}
}
} finally {
pem.release();
}
}
private static long newBIO(ByteBuf buffer) throws Exception {
try {
long bio = SSL.newMemBIO();
int readable = buffer.readableBytes();
if (SSL.writeToBIO(bio, OpenSsl.memoryAddress(buffer) + buffer.readerIndex(), readable) != readable) {
SSL.freeBIO(bio);
throw new IllegalStateException("Could not write data to memory BIO");
}
return bio;
} finally {
buffer.release();
}
} }
} }

File diff suppressed because it is too large Load Diff

View File

@ -21,15 +21,15 @@ interface OpenSslEngineMap {
* Remove the {@link OpenSslEngine} with the given {@code ssl} address and * Remove the {@link OpenSslEngine} with the given {@code ssl} address and
* return it. * return it.
*/ */
OpenSslEngine remove(long ssl); ReferenceCountedOpenSslEngine remove(long ssl);
/** /**
* Add a {@link OpenSslEngine} to this {@link OpenSslEngineMap}. * Add a {@link OpenSslEngine} to this {@link OpenSslEngineMap}.
*/ */
void add(OpenSslEngine engine); void add(ReferenceCountedOpenSslEngine engine);
/** /**
* Get the {@link OpenSslEngine} for the given {@code ssl} address. * Get the {@link OpenSslEngine} for the given {@code ssl} address.
*/ */
OpenSslEngine get(long ssl); ReferenceCountedOpenSslEngine get(long ssl);
} }

View File

@ -28,12 +28,13 @@ final class OpenSslExtendedKeyMaterialManager extends OpenSslKeyMaterialManager
} }
@Override @Override
protected String chooseClientAlias(OpenSslEngine engine, String[] keyTypes, X500Principal[] issuer) { protected String chooseClientAlias(ReferenceCountedOpenSslEngine engine, String[] keyTypes,
X500Principal[] issuer) {
return keyManager.chooseEngineClientAlias(keyTypes, issuer, engine); return keyManager.chooseEngineClientAlias(keyTypes, issuer, engine);
} }
@Override @Override
protected String chooseServerAlias(OpenSslEngine engine, String type) { protected String chooseServerAlias(ReferenceCountedOpenSslEngine engine, String type) {
return keyManager.chooseEngineServerAlias(type, null, engine); return keyManager.chooseEngineServerAlias(type, null, engine);
} }
} }

View File

@ -65,7 +65,7 @@ class OpenSslKeyMaterialManager {
this.password = password; this.password = password;
} }
void setKeyMaterial(OpenSslEngine engine) throws SSLException { void setKeyMaterial(ReferenceCountedOpenSslEngine engine) throws SSLException {
long ssl = engine.sslPointer(); long ssl = engine.sslPointer();
String[] authMethods = SSL.authenticationMethods(ssl); String[] authMethods = SSL.authenticationMethods(ssl);
Set<String> aliases = new HashSet<String>(authMethods.length); Set<String> aliases = new HashSet<String>(authMethods.length);
@ -80,7 +80,8 @@ class OpenSslKeyMaterialManager {
} }
} }
void setKeyMaterial(OpenSslEngine engine, String[] keyTypes, X500Principal[] issuer) throws SSLException { void setKeyMaterial(ReferenceCountedOpenSslEngine engine, String[] keyTypes,
X500Principal[] issuer) throws SSLException {
setKeyMaterial(engine.sslPointer(), chooseClientAlias(engine, keyTypes, issuer)); setKeyMaterial(engine.sslPointer(), chooseClientAlias(engine, keyTypes, issuer));
} }
@ -116,12 +117,12 @@ class OpenSslKeyMaterialManager {
} }
} }
protected String chooseClientAlias(@SuppressWarnings("unused") OpenSslEngine engine, protected String chooseClientAlias(@SuppressWarnings("unused") ReferenceCountedOpenSslEngine engine,
String[] keyTypes, X500Principal[] issuer) { String[] keyTypes, X500Principal[] issuer) {
return keyManager.chooseClientAlias(keyTypes, issuer, null); return keyManager.chooseClientAlias(keyTypes, issuer, null);
} }
protected String chooseServerAlias(@SuppressWarnings("unused") OpenSslEngine engine, String type) { protected String chooseServerAlias(@SuppressWarnings("unused") ReferenceCountedOpenSslEngine engine, String type) {
return keyManager.chooseServerAlias(type, null, null); return keyManager.chooseServerAlias(type, null, null);
} }
} }

View File

@ -15,30 +15,27 @@
*/ */
package io.netty.handler.ssl; package io.netty.handler.ssl;
import io.netty.handler.ssl.ReferenceCountedOpenSslServerContext.ServerContext;
import org.apache.tomcat.jni.SSL; import org.apache.tomcat.jni.SSL;
import org.apache.tomcat.jni.SSLContext;
import java.io.File;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLException; import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import java.io.File;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import static io.netty.util.internal.ObjectUtil.*; import static io.netty.handler.ssl.ReferenceCountedOpenSslServerContext.newSessionContext;
/** /**
* A server-side {@link SslContext} which uses OpenSSL's SSL/TLS implementation. * A server-side {@link SslContext} which uses OpenSSL's SSL/TLS implementation.
* <p>This class will use a finalizer to ensure native resources are automatically cleaned up. To avoid finalizers
* and manually release the native memory see {@link ReferenceCountedOpenSslServerContext}.
*/ */
public final class OpenSslServerContext extends OpenSslContext { public final class OpenSslServerContext extends OpenSslContext {
private static final byte[] ID = new byte[] {'n', 'e', 't', 't', 'y'};
private final OpenSslServerSessionContext sessionContext; private final OpenSslServerSessionContext sessionContext;
private final OpenSslKeyMaterialManager keyMaterialManager; private final OpenSslKeyMaterialManager keyMaterialManager;
@ -349,74 +346,14 @@ public final class OpenSslServerContext extends OpenSslContext {
// Create a new SSL_CTX and configure it. // Create a new SSL_CTX and configure it.
boolean success = false; boolean success = false;
try { try {
synchronized (OpenSslContext.class) { ServerContext context = newSessionContext(this, ctx, engineMap, trustCertCollection, trustManagerFactory,
try { keyCertChain, key, keyPassword, keyManagerFactory);
SSLContext.setVerify(ctx, SSL.SSL_CVERIFY_NONE, VERIFY_DEPTH); sessionContext = context.sessionContext;
if (!OpenSsl.useKeyManagerFactory()) { keyMaterialManager = context.keyMaterialManager;
if (keyManagerFactory != null) {
throw new IllegalArgumentException(
"KeyManagerFactory not supported");
}
/* Set certificate verification policy. */
SSLContext.setVerify(ctx, SSL.SSL_CVERIFY_NONE, VERIFY_DEPTH);
setKeyMaterial(ctx, keyCertChain, key, keyPassword);
keyMaterialManager = null;
} else {
if (keyCertChain != null) {
keyManagerFactory = buildKeyManagerFactory(
keyCertChain, key, keyPassword, keyManagerFactory);
}
if (keyManagerFactory != null) {
X509KeyManager keyManager = chooseX509KeyManager(keyManagerFactory.getKeyManagers());
keyMaterialManager = useExtendedKeyManager(keyManager) ?
new OpenSslExtendedKeyMaterialManager(
(X509ExtendedKeyManager) keyManager, keyPassword) :
new OpenSslKeyMaterialManager(keyManager, keyPassword);
} else {
keyMaterialManager = null;
}
}
} catch (Exception e) {
throw new SSLException("failed to set certificate and key", e);
}
try {
if (trustCertCollection != null) {
trustManagerFactory = buildTrustManagerFactory(trustCertCollection, trustManagerFactory);
} else if (trustManagerFactory == null) {
// Mimic the way SSLContext.getInstance(KeyManager[], null, null) works
trustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
}
final X509TrustManager manager = chooseTrustManager(trustManagerFactory.getTrustManagers());
// IMPORTANT: The callbacks set for verification must be static to prevent memory leak as
// otherwise the context can never be collected. This is because the JNI code holds
// a global reference to the callbacks.
//
// See https://github.com/netty/netty/issues/5372
// Use this to prevent an error when running on java < 7
if (useExtendedTrustManager(manager)) {
SSLContext.setCertVerifyCallback(ctx,
new ExtendedTrustManagerVerifyCallback(engineMap, (X509ExtendedTrustManager) manager));
} else {
SSLContext.setCertVerifyCallback(ctx, new TrustManagerVerifyCallback(engineMap, manager));
}
} catch (Exception e) {
throw new SSLException("unable to setup trustmanager", e);
}
}
sessionContext = new OpenSslServerSessionContext(this);
sessionContext.setSessionIdContext(ID);
success = true; success = true;
} finally { } finally {
if (!success) { if (!success) {
destroy(); release();
} }
} }
} }
@ -430,34 +367,4 @@ public final class OpenSslServerContext extends OpenSslContext {
OpenSslKeyMaterialManager keyMaterialManager() { OpenSslKeyMaterialManager keyMaterialManager() {
return keyMaterialManager; return keyMaterialManager;
} }
private static final class TrustManagerVerifyCallback extends AbstractCertificateVerifier {
private final X509TrustManager manager;
TrustManagerVerifyCallback(OpenSslEngineMap engineMap, X509TrustManager manager) {
super(engineMap);
this.manager = manager;
}
@Override
void verify(OpenSslEngine engine, X509Certificate[] peerCerts, String auth)
throws Exception {
manager.checkClientTrusted(peerCerts, auth);
}
}
private static final class ExtendedTrustManagerVerifyCallback extends AbstractCertificateVerifier {
private final X509ExtendedTrustManager manager;
ExtendedTrustManagerVerifyCallback(OpenSslEngineMap engineMap, X509ExtendedTrustManager manager) {
super(engineMap);
this.manager = manager;
}
@Override
void verify(OpenSslEngine engine, X509Certificate[] peerCerts, String auth)
throws Exception {
manager.checkClientTrusted(peerCerts, auth, engine);
}
}
} }

View File

@ -23,7 +23,7 @@ import org.apache.tomcat.jni.SSLContext;
* {@link OpenSslSessionContext} implementation which offers extra methods which are only useful for the server-side. * {@link OpenSslSessionContext} implementation which offers extra methods which are only useful for the server-side.
*/ */
public final class OpenSslServerSessionContext extends OpenSslSessionContext { public final class OpenSslServerSessionContext extends OpenSslSessionContext {
OpenSslServerSessionContext(OpenSslContext context) { OpenSslServerSessionContext(ReferenceCountedOpenSslContext context) {
super(context); super(context);
} }

View File

@ -32,13 +32,13 @@ public abstract class OpenSslSessionContext implements SSLSessionContext {
private static final Enumeration<byte[]> EMPTY = new EmptyEnumeration(); private static final Enumeration<byte[]> EMPTY = new EmptyEnumeration();
private final OpenSslSessionStats stats; private final OpenSslSessionStats stats;
final OpenSslContext context; final ReferenceCountedOpenSslContext context;
// IMPORTANT: We take the OpenSslContext and not just the long (which points the native instance) to prevent // IMPORTANT: We take the OpenSslContext and not just the long (which points the native instance) to prevent
// the GC to collect OpenSslContext as this would also free the pointer and so could result in a // the GC to collect OpenSslContext as this would also free the pointer and so could result in a
// segfault when the user calls any of the methods here that try to pass the pointer down to the native // segfault when the user calls any of the methods here that try to pass the pointer down to the native
// level. // level.
OpenSslSessionContext(OpenSslContext context) { OpenSslSessionContext(ReferenceCountedOpenSslContext context) {
this.context = context; this.context = context;
stats = new OpenSslSessionStats(context); stats = new OpenSslSessionStats(context);
} }

View File

@ -25,13 +25,13 @@ import org.apache.tomcat.jni.SSLContext;
*/ */
public final class OpenSslSessionStats { public final class OpenSslSessionStats {
private final OpenSslContext context; private final ReferenceCountedOpenSslContext context;
// IMPORTANT: We take the OpenSslContext and not just the long (which points the native instance) to prevent // IMPORTANT: We take the OpenSslContext and not just the long (which points the native instance) to prevent
// the GC to collect OpenSslContext as this would also free the pointer and so could result in a // the GC to collect OpenSslContext as this would also free the pointer and so could result in a
// segfault when the user calls any of the methods here that try to pass the pointer down to the native // segfault when the user calls any of the methods here that try to pass the pointer down to the native
// level. // level.
OpenSslSessionStats(OpenSslContext context) { OpenSslSessionStats(ReferenceCountedOpenSslContext context) {
this.context = context; this.context = context;
} }

View File

@ -0,0 +1,295 @@
/*
* Copyright 2016 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package io.netty.handler.ssl;
import io.netty.util.internal.logging.InternalLogger;
import io.netty.util.internal.logging.InternalLoggerFactory;
import org.apache.tomcat.jni.CertificateRequestedCallback;
import org.apache.tomcat.jni.SSL;
import org.apache.tomcat.jni.SSLContext;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.Set;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
/**
* A client-side {@link SslContext} which uses OpenSSL's SSL/TLS implementation.
* <p>Instances of this class must be {@link #release() released} or else native memory will leak!
*/
public final class ReferenceCountedOpenSslClientContext extends ReferenceCountedOpenSslContext {
private static final InternalLogger logger =
InternalLoggerFactory.getInstance(ReferenceCountedOpenSslClientContext.class);
private final OpenSslSessionContext sessionContext;
ReferenceCountedOpenSslClientContext(X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
X509Certificate[] keyCertChain, PrivateKey key, String keyPassword,
KeyManagerFactory keyManagerFactory, Iterable<String> ciphers,
CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
long sessionCacheSize, long sessionTimeout)
throws SSLException {
super(ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout, SSL.SSL_MODE_CLIENT, keyCertChain,
ClientAuth.NONE, true);
boolean success = false;
try {
sessionContext = newSessionContext(this, ctx, engineMap, trustCertCollection, trustManagerFactory,
keyCertChain, key, keyPassword, keyManagerFactory);
success = true;
} finally {
if (!success) {
release();
}
}
}
@Override
OpenSslKeyMaterialManager keyMaterialManager() {
return null;
}
@Override
public OpenSslSessionContext sessionContext() {
return sessionContext;
}
static OpenSslSessionContext newSessionContext(ReferenceCountedOpenSslContext thiz, long ctx,
OpenSslEngineMap engineMap,
X509Certificate[] trustCertCollection,
TrustManagerFactory trustManagerFactory,
X509Certificate[] keyCertChain, PrivateKey key, String keyPassword,
KeyManagerFactory keyManagerFactory) throws SSLException {
if (key == null && keyCertChain != null || key != null && keyCertChain == null) {
throw new IllegalArgumentException(
"Either both keyCertChain and key needs to be null or none of them");
}
synchronized (ReferenceCountedOpenSslContext.class) {
try {
if (!OpenSsl.useKeyManagerFactory()) {
if (keyManagerFactory != null) {
throw new IllegalArgumentException(
"KeyManagerFactory not supported");
}
if (keyCertChain != null/* && key != null*/) {
setKeyMaterial(ctx, keyCertChain, key, keyPassword);
}
} else {
// javadocs state that keyManagerFactory has precedent over keyCertChain
if (keyManagerFactory == null && keyCertChain != null) {
keyManagerFactory = buildKeyManagerFactory(
keyCertChain, key, keyPassword, keyManagerFactory);
}
if (keyManagerFactory != null) {
X509KeyManager keyManager = chooseX509KeyManager(keyManagerFactory.getKeyManagers());
OpenSslKeyMaterialManager materialManager = useExtendedKeyManager(keyManager) ?
new OpenSslExtendedKeyMaterialManager(
(X509ExtendedKeyManager) keyManager, keyPassword) :
new OpenSslKeyMaterialManager(keyManager, keyPassword);
SSLContext.setCertRequestedCallback(ctx, new OpenSslCertificateRequestedCallback(
engineMap, materialManager));
}
}
} catch (Exception e) {
throw new SSLException("failed to set certificate and key", e);
}
SSLContext.setVerify(ctx, SSL.SSL_VERIFY_NONE, VERIFY_DEPTH);
try {
if (trustCertCollection != null) {
trustManagerFactory = buildTrustManagerFactory(trustCertCollection, trustManagerFactory);
} else if (trustManagerFactory == null) {
trustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
}
final X509TrustManager manager = chooseTrustManager(trustManagerFactory.getTrustManagers());
// IMPORTANT: The callbacks set for verification must be static to prevent memory leak as
// otherwise the context can never be collected. This is because the JNI code holds
// a global reference to the callbacks.
//
// See https://github.com/netty/netty/issues/5372
// Use this to prevent an error when running on java < 7
if (useExtendedTrustManager(manager)) {
SSLContext.setCertVerifyCallback(ctx,
new ExtendedTrustManagerVerifyCallback(engineMap, (X509ExtendedTrustManager) manager));
} else {
SSLContext.setCertVerifyCallback(ctx, new TrustManagerVerifyCallback(engineMap, manager));
}
} catch (Exception e) {
throw new SSLException("unable to setup trustmanager", e);
}
}
return new OpenSslClientSessionContext(thiz);
}
// No cache is currently supported for client side mode.
static final class OpenSslClientSessionContext extends OpenSslSessionContext {
OpenSslClientSessionContext(ReferenceCountedOpenSslContext context) {
super(context);
}
@Override
public void setSessionTimeout(int seconds) {
if (seconds < 0) {
throw new IllegalArgumentException();
}
}
@Override
public int getSessionTimeout() {
return 0;
}
@Override
public void setSessionCacheSize(int size) {
if (size < 0) {
throw new IllegalArgumentException();
}
}
@Override
public int getSessionCacheSize() {
return 0;
}
@Override
public void setSessionCacheEnabled(boolean enabled) {
// ignored
}
@Override
public boolean isSessionCacheEnabled() {
return false;
}
}
private static final class TrustManagerVerifyCallback extends AbstractCertificateVerifier {
private final X509TrustManager manager;
TrustManagerVerifyCallback(OpenSslEngineMap engineMap, X509TrustManager manager) {
super(engineMap);
this.manager = manager;
}
@Override
void verify(ReferenceCountedOpenSslEngine engine, X509Certificate[] peerCerts, String auth)
throws Exception {
manager.checkServerTrusted(peerCerts, auth);
}
}
private static final class ExtendedTrustManagerVerifyCallback extends AbstractCertificateVerifier {
private final X509ExtendedTrustManager manager;
ExtendedTrustManagerVerifyCallback(OpenSslEngineMap engineMap, X509ExtendedTrustManager manager) {
super(engineMap);
this.manager = manager;
}
@Override
void verify(ReferenceCountedOpenSslEngine engine, X509Certificate[] peerCerts, String auth)
throws Exception {
manager.checkServerTrusted(peerCerts, auth, engine);
}
}
private static final class OpenSslCertificateRequestedCallback implements CertificateRequestedCallback {
private final OpenSslEngineMap engineMap;
private final OpenSslKeyMaterialManager keyManagerHolder;
OpenSslCertificateRequestedCallback(OpenSslEngineMap engineMap, OpenSslKeyMaterialManager keyManagerHolder) {
this.engineMap = engineMap;
this.keyManagerHolder = keyManagerHolder;
}
@Override
public void requested(long ssl, byte[] keyTypeBytes, byte[][] asn1DerEncodedPrincipals) {
final ReferenceCountedOpenSslEngine engine = engineMap.get(ssl);
try {
final Set<String> keyTypesSet = supportedClientKeyTypes(keyTypeBytes);
final String[] keyTypes = keyTypesSet.toArray(new String[keyTypesSet.size()]);
final X500Principal[] issuers;
if (asn1DerEncodedPrincipals == null) {
issuers = null;
} else {
issuers = new X500Principal[asn1DerEncodedPrincipals.length];
for (int i = 0; i < asn1DerEncodedPrincipals.length; i++) {
issuers[i] = new X500Principal(asn1DerEncodedPrincipals[i]);
}
}
keyManagerHolder.setKeyMaterial(engine, keyTypes, issuers);
} catch (Throwable cause) {
logger.debug("request of key failed", cause);
SSLHandshakeException e = new SSLHandshakeException("General OpenSslEngine problem");
e.initCause(cause);
engine.handshakeException = e;
}
}
/**
* Gets the supported key types for client certificates.
*
* @param clientCertificateTypes {@code ClientCertificateType} values provided by the server.
* See https://www.ietf.org/assignments/tls-parameters/tls-parameters.xml.
* @return supported key types that can be used in {@code X509KeyManager.chooseClientAlias} and
* {@code X509ExtendedKeyManager.chooseEngineClientAlias}.
*/
private static Set<String> supportedClientKeyTypes(byte[] clientCertificateTypes) {
Set<String> result = new HashSet<String>(clientCertificateTypes.length);
for (byte keyTypeCode : clientCertificateTypes) {
String keyType = clientKeyType(keyTypeCode);
if (keyType == null) {
// Unsupported client key type -- ignore
continue;
}
result.add(keyType);
}
return result;
}
private static String clientKeyType(byte clientCertificateType) {
// See also http://www.ietf.org/assignments/tls-parameters/tls-parameters.xml
switch (clientCertificateType) {
case CertificateRequestedCallback.TLS_CT_RSA_SIGN:
return OpenSslKeyMaterialManager.KEY_TYPE_RSA; // RFC rsa_sign
case CertificateRequestedCallback.TLS_CT_RSA_FIXED_DH:
return OpenSslKeyMaterialManager.KEY_TYPE_DH_RSA; // RFC rsa_fixed_dh
case CertificateRequestedCallback.TLS_CT_ECDSA_SIGN:
return OpenSslKeyMaterialManager.KEY_TYPE_EC; // RFC ecdsa_sign
case CertificateRequestedCallback.TLS_CT_RSA_FIXED_ECDH:
return OpenSslKeyMaterialManager.KEY_TYPE_EC_RSA; // RFC rsa_fixed_ecdh
case CertificateRequestedCallback.TLS_CT_ECDSA_FIXED_ECDH:
return OpenSslKeyMaterialManager.KEY_TYPE_EC_EC; // RFC ecdsa_fixed_ecdh
default:
return null;
}
}
}
}

View File

@ -0,0 +1,746 @@
/*
* Copyright 2016 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package io.netty.handler.ssl;
import io.netty.buffer.ByteBuf;
import io.netty.buffer.ByteBufAllocator;
import io.netty.util.AbstractReferenceCounted;
import io.netty.util.ReferenceCounted;
import io.netty.util.ResourceLeak;
import io.netty.util.ResourceLeakDetector;
import io.netty.util.ResourceLeakDetectorFactory;
import io.netty.util.internal.PlatformDependent;
import io.netty.util.internal.StringUtil;
import io.netty.util.internal.SystemPropertyUtil;
import io.netty.util.internal.logging.InternalLogger;
import io.netty.util.internal.logging.InternalLoggerFactory;
import org.apache.tomcat.jni.CertificateVerifier;
import org.apache.tomcat.jni.Pool;
import org.apache.tomcat.jni.SSL;
import org.apache.tomcat.jni.SSLContext;
import java.security.AccessController;
import java.security.PrivateKey;
import java.security.PrivilegedAction;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateRevokedException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import static io.netty.util.internal.ObjectUtil.checkNotNull;
/**
* An implementation of {@link SslContext} which works with libraries that support the
* <a href="https://www.openssl.org/">OpenSsl</a> C library API.
* <p>Instances of this class must be {@link #release() released} or else native memory will leak!
*/
public abstract class ReferenceCountedOpenSslContext extends SslContext implements ReferenceCounted {
private static final InternalLogger logger =
InternalLoggerFactory.getInstance(ReferenceCountedOpenSslContext.class);
/**
* To make it easier for users to replace JDK implemention with OpenSsl version we also use
* {@code jdk.tls.rejectClientInitiatedRenegotiation} to allow disabling client initiated renegotiation.
* Java8+ uses this system property as well.
* <p>
* See also <a href="http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html">
* Significant SSL/TLS improvements in Java 8</a>
*/
private static final boolean JDK_REJECT_CLIENT_INITIATED_RENEGOTIATION =
SystemPropertyUtil.getBoolean("jdk.tls.rejectClientInitiatedRenegotiation", false);
private static final List<String> DEFAULT_CIPHERS;
private static final Integer DH_KEY_LENGTH;
private static final ResourceLeakDetector<ReferenceCountedOpenSslContext> leakDetector =
ResourceLeakDetectorFactory.instance().newResourceLeakDetector(ReferenceCountedOpenSslContext.class);
// TODO: Maybe make configurable ?
protected static final int VERIFY_DEPTH = 10;
/**
* The OpenSSL SSL_CTX object
*/
protected volatile long ctx;
long aprPool;
@SuppressWarnings({ "unused", "FieldMayBeFinal" })
private volatile int aprPoolDestroyed;
private final List<String> unmodifiableCiphers;
private final long sessionCacheSize;
private final long sessionTimeout;
private final OpenSslApplicationProtocolNegotiator apn;
private final int mode;
// Reference Counting
private final ResourceLeak leak;
private final AbstractReferenceCounted refCnt = new AbstractReferenceCounted() {
@Override
public ReferenceCounted touch(Object hint) {
if (leak != null) {
leak.record(hint);
}
return ReferenceCountedOpenSslContext.this;
}
@Override
protected void deallocate() {
destroy();
if (leak != null) {
leak.close();
}
}
};
final Certificate[] keyCertChain;
final ClientAuth clientAuth;
final OpenSslEngineMap engineMap = new DefaultOpenSslEngineMap();
volatile boolean rejectRemoteInitiatedRenegotiation;
static final OpenSslApplicationProtocolNegotiator NONE_PROTOCOL_NEGOTIATOR =
new OpenSslApplicationProtocolNegotiator() {
@Override
public ApplicationProtocolConfig.Protocol protocol() {
return ApplicationProtocolConfig.Protocol.NONE;
}
@Override
public List<String> protocols() {
return Collections.emptyList();
}
@Override
public ApplicationProtocolConfig.SelectorFailureBehavior selectorFailureBehavior() {
return ApplicationProtocolConfig.SelectorFailureBehavior.CHOOSE_MY_LAST_PROTOCOL;
}
@Override
public ApplicationProtocolConfig.SelectedListenerFailureBehavior selectedListenerFailureBehavior() {
return ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT;
}
};
static {
List<String> ciphers = new ArrayList<String>();
// XXX: Make sure to sync this list with JdkSslEngineFactory.
Collections.addAll(
ciphers,
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-SHA",
"ECDHE-RSA-AES256-SHA",
"AES128-GCM-SHA256",
"AES128-SHA",
"AES256-SHA",
"DES-CBC3-SHA");
DEFAULT_CIPHERS = Collections.unmodifiableList(ciphers);
if (logger.isDebugEnabled()) {
logger.debug("Default cipher suite (OpenSSL): " + ciphers);
}
Integer dhLen = null;
try {
String dhKeySize = AccessController.doPrivileged(new PrivilegedAction<String>() {
@Override
public String run() {
return SystemPropertyUtil.get("jdk.tls.ephemeralDHKeySize");
}
});
if (dhKeySize != null) {
try {
dhLen = Integer.valueOf(dhKeySize);
} catch (NumberFormatException e) {
logger.debug("ReferenceCountedOpenSslContext supports -Djdk.tls.ephemeralDHKeySize={int}, but got: "
+ dhKeySize);
}
}
} catch (Throwable ignore) {
// ignore
}
DH_KEY_LENGTH = dhLen;
}
ReferenceCountedOpenSslContext(Iterable<String> ciphers, CipherSuiteFilter cipherFilter,
ApplicationProtocolConfig apnCfg, long sessionCacheSize, long sessionTimeout,
int mode, Certificate[] keyCertChain, ClientAuth clientAuth, boolean leakDetection)
throws SSLException {
this(ciphers, cipherFilter, toNegotiator(apnCfg), sessionCacheSize, sessionTimeout, mode, keyCertChain,
clientAuth, leakDetection);
}
ReferenceCountedOpenSslContext(Iterable<String> ciphers, CipherSuiteFilter cipherFilter,
OpenSslApplicationProtocolNegotiator apn, long sessionCacheSize,
long sessionTimeout, int mode, Certificate[] keyCertChain,
ClientAuth clientAuth, boolean leakDetection) throws SSLException {
OpenSsl.ensureAvailability();
if (mode != SSL.SSL_MODE_SERVER && mode != SSL.SSL_MODE_CLIENT) {
throw new IllegalArgumentException("mode most be either SSL.SSL_MODE_SERVER or SSL.SSL_MODE_CLIENT");
}
leak = leakDetection ? leakDetector.open(this) : null;
this.mode = mode;
this.clientAuth = isServer() ? checkNotNull(clientAuth, "clientAuth") : ClientAuth.NONE;
if (mode == SSL.SSL_MODE_SERVER) {
rejectRemoteInitiatedRenegotiation =
JDK_REJECT_CLIENT_INITIATED_RENEGOTIATION;
}
this.keyCertChain = keyCertChain == null ? null : keyCertChain.clone();
final List<String> convertedCiphers;
if (ciphers == null) {
convertedCiphers = null;
} else {
convertedCiphers = new ArrayList<String>();
for (String c : ciphers) {
if (c == null) {
break;
}
String converted = CipherSuiteConverter.toOpenSsl(c);
if (converted != null) {
c = converted;
}
convertedCiphers.add(c);
}
}
unmodifiableCiphers = Arrays.asList(checkNotNull(cipherFilter, "cipherFilter").filterCipherSuites(
convertedCiphers, DEFAULT_CIPHERS, OpenSsl.availableCipherSuites()));
this.apn = checkNotNull(apn, "apn");
// Allocate a new APR pool.
aprPool = Pool.create(0);
// Create a new SSL_CTX and configure it.
boolean success = false;
try {
synchronized (ReferenceCountedOpenSslContext.class) {
try {
ctx = SSLContext.make(aprPool, SSL.SSL_PROTOCOL_ALL, mode);
} catch (Exception e) {
throw new SSLException("failed to create an SSL_CTX", e);
}
SSLContext.setOptions(ctx, SSL.SSL_OP_ALL);
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SSLv2);
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SSLv3);
SSLContext.setOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
SSLContext.setOptions(ctx, SSL.SSL_OP_SINGLE_ECDH_USE);
SSLContext.setOptions(ctx, SSL.SSL_OP_SINGLE_DH_USE);
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
// Disable ticket support by default to be more inline with SSLEngineImpl of the JDK.
// This also let SSLSession.getId() work the same way for the JDK implementation and the OpenSSLEngine.
// If tickets are supported SSLSession.getId() will only return an ID on the server-side if it could
// make use of tickets.
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_TICKET);
// We need to enable SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER as the memory address may change between
// calling OpenSSLEngine.wrap(...).
// See https://github.com/netty/netty-tcnative/issues/100
SSLContext.setMode(ctx, SSLContext.getMode(ctx) | SSL.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
if (DH_KEY_LENGTH != null) {
SSLContext.setTmpDHLength(ctx, DH_KEY_LENGTH);
}
/* List the ciphers that are permitted to negotiate. */
try {
SSLContext.setCipherSuite(ctx, CipherSuiteConverter.toOpenSsl(unmodifiableCiphers));
} catch (SSLException e) {
throw e;
} catch (Exception e) {
throw new SSLException("failed to set cipher suite: " + unmodifiableCiphers, e);
}
List<String> nextProtoList = apn.protocols();
/* Set next protocols for next protocol negotiation extension, if specified */
if (!nextProtoList.isEmpty()) {
String[] protocols = nextProtoList.toArray(new String[nextProtoList.size()]);
int selectorBehavior = opensslSelectorFailureBehavior(apn.selectorFailureBehavior());
switch (apn.protocol()) {
case NPN:
SSLContext.setNpnProtos(ctx, protocols, selectorBehavior);
break;
case ALPN:
SSLContext.setAlpnProtos(ctx, protocols, selectorBehavior);
break;
case NPN_AND_ALPN:
SSLContext.setNpnProtos(ctx, protocols, selectorBehavior);
SSLContext.setAlpnProtos(ctx, protocols, selectorBehavior);
break;
default:
throw new Error();
}
}
/* Set session cache size, if specified */
if (sessionCacheSize > 0) {
this.sessionCacheSize = sessionCacheSize;
SSLContext.setSessionCacheSize(ctx, sessionCacheSize);
} else {
// Get the default session cache size using SSLContext.setSessionCacheSize()
this.sessionCacheSize = sessionCacheSize = SSLContext.setSessionCacheSize(ctx, 20480);
// Revert the session cache size to the default value.
SSLContext.setSessionCacheSize(ctx, sessionCacheSize);
}
/* Set session timeout, if specified */
if (sessionTimeout > 0) {
this.sessionTimeout = sessionTimeout;
SSLContext.setSessionCacheTimeout(ctx, sessionTimeout);
} else {
// Get the default session timeout using SSLContext.setSessionCacheTimeout()
this.sessionTimeout = sessionTimeout = SSLContext.setSessionCacheTimeout(ctx, 300);
// Revert the session timeout to the default value.
SSLContext.setSessionCacheTimeout(ctx, sessionTimeout);
}
}
success = true;
} finally {
if (!success) {
release();
}
}
}
private static int opensslSelectorFailureBehavior(ApplicationProtocolConfig.SelectorFailureBehavior behavior) {
switch (behavior) {
case NO_ADVERTISE:
return SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE;
case CHOOSE_MY_LAST_PROTOCOL:
return SSL.SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL;
default:
throw new Error();
}
}
@Override
public final List<String> cipherSuites() {
return unmodifiableCiphers;
}
@Override
public final long sessionCacheSize() {
return sessionCacheSize;
}
@Override
public final long sessionTimeout() {
return sessionTimeout;
}
@Override
public ApplicationProtocolNegotiator applicationProtocolNegotiator() {
return apn;
}
@Override
public final boolean isClient() {
return mode == SSL.SSL_MODE_CLIENT;
}
@Override
public final SSLEngine newEngine(ByteBufAllocator alloc, String peerHost, int peerPort) {
return newEngine0(alloc, peerHost, peerPort);
}
SSLEngine newEngine0(ByteBufAllocator alloc, String peerHost, int peerPort) {
return new ReferenceCountedOpenSslEngine(this, alloc, peerHost, peerPort, true);
}
abstract OpenSslKeyMaterialManager keyMaterialManager();
/**
* Returns a new server-side {@link SSLEngine} with the current configuration.
*/
@Override
public final SSLEngine newEngine(ByteBufAllocator alloc) {
return newEngine(alloc, null, -1);
}
/**
* Returns the pointer to the {@code SSL_CTX} object for this {@link ReferenceCountedOpenSslContext}.
* Be aware that it is freed as soon as the {@link #finalize()} method is called.
* At this point {@code 0} will be returned.
*
* @deprecated use {@link #sslCtxPointer()}
*/
@Deprecated
public final long context() {
return ctx;
}
/**
* Returns the stats of this context.
*
* @deprecated use {@link #sessionContext#stats()}
*/
@Deprecated
public final OpenSslSessionStats stats() {
return sessionContext().stats();
}
/**
* Specify if remote initiated renegotiation is supported or not. If not supported and the remote side tries
* to initiate a renegotiation a {@link SSLHandshakeException} will be thrown during decoding.
*/
public void setRejectRemoteInitiatedRenegotiation(boolean rejectRemoteInitiatedRenegotiation) {
this.rejectRemoteInitiatedRenegotiation = rejectRemoteInitiatedRenegotiation;
}
/**
* Sets the SSL session ticket keys of this context.
*
* @deprecated use {@link OpenSslSessionContext#setTicketKeys(byte[])}
*/
@Deprecated
public final void setTicketKeys(byte[] keys) {
sessionContext().setTicketKeys(keys);
}
@Override
public abstract OpenSslSessionContext sessionContext();
/**
* Returns the pointer to the {@code SSL_CTX} object for this {@link ReferenceCountedOpenSslContext}.
* Be aware that it is freed as soon as the {@link #release()} method is called.
* At this point {@code 0} will be returned.
*/
public final long sslCtxPointer() {
return ctx;
}
// IMPORTANT: This method must only be called from either the constructor or the finalizer as a user MUST never
// get access to an OpenSslSessionContext after this method was called to prevent the user from
// producing a segfault.
final void destroy() {
synchronized (ReferenceCountedOpenSslContext.class) {
if (ctx != 0) {
SSLContext.free(ctx);
ctx = 0;
}
// Guard against multiple destroyPools() calls triggered by construction exception and finalize() later
if (aprPool != 0) {
Pool.destroy(aprPool);
aprPool = 0;
}
}
}
protected static X509Certificate[] certificates(byte[][] chain) {
X509Certificate[] peerCerts = new X509Certificate[chain.length];
for (int i = 0; i < peerCerts.length; i++) {
peerCerts[i] = new OpenSslX509Certificate(chain[i]);
}
return peerCerts;
}
protected static X509TrustManager chooseTrustManager(TrustManager[] managers) {
for (TrustManager m : managers) {
if (m instanceof X509TrustManager) {
return (X509TrustManager) m;
}
}
throw new IllegalStateException("no X509TrustManager found");
}
protected static X509KeyManager chooseX509KeyManager(KeyManager[] kms) {
for (KeyManager km : kms) {
if (km instanceof X509KeyManager) {
return (X509KeyManager) km;
}
}
throw new IllegalStateException("no X509KeyManager found");
}
/**
* Translate a {@link ApplicationProtocolConfig} object to a
* {@link OpenSslApplicationProtocolNegotiator} object.
*
* @param config The configuration which defines the translation
* @return The results of the translation
*/
static OpenSslApplicationProtocolNegotiator toNegotiator(ApplicationProtocolConfig config) {
if (config == null) {
return NONE_PROTOCOL_NEGOTIATOR;
}
switch (config.protocol()) {
case NONE:
return NONE_PROTOCOL_NEGOTIATOR;
case ALPN:
case NPN:
case NPN_AND_ALPN:
switch (config.selectedListenerFailureBehavior()) {
case CHOOSE_MY_LAST_PROTOCOL:
case ACCEPT:
switch (config.selectorFailureBehavior()) {
case CHOOSE_MY_LAST_PROTOCOL:
case NO_ADVERTISE:
return new OpenSslDefaultApplicationProtocolNegotiator(
config);
default:
throw new UnsupportedOperationException(
new StringBuilder("OpenSSL provider does not support ")
.append(config.selectorFailureBehavior())
.append(" behavior").toString());
}
default:
throw new UnsupportedOperationException(
new StringBuilder("OpenSSL provider does not support ")
.append(config.selectedListenerFailureBehavior())
.append(" behavior").toString());
}
default:
throw new Error();
}
}
static boolean useExtendedTrustManager(X509TrustManager trustManager) {
return PlatformDependent.javaVersion() >= 7 && trustManager instanceof X509ExtendedTrustManager;
}
static boolean useExtendedKeyManager(X509KeyManager keyManager) {
return PlatformDependent.javaVersion() >= 7 && keyManager instanceof X509ExtendedKeyManager;
}
@Override
public final int refCnt() {
return refCnt.refCnt();
}
@Override
public final ReferenceCounted retain() {
refCnt.retain();
return this;
}
@Override
public final ReferenceCounted retain(int increment) {
refCnt.retain(increment);
return this;
}
@Override
public final ReferenceCounted touch() {
refCnt.touch();
return this;
}
@Override
public final ReferenceCounted touch(Object hint) {
refCnt.touch(hint);
return this;
}
@Override
public final boolean release() {
return refCnt.release();
}
@Override
public final boolean release(int decrement) {
return refCnt.release(decrement);
}
abstract static class AbstractCertificateVerifier implements CertificateVerifier {
private final OpenSslEngineMap engineMap;
AbstractCertificateVerifier(OpenSslEngineMap engineMap) {
this.engineMap = engineMap;
}
@Override
public final int verify(long ssl, byte[][] chain, String auth) {
X509Certificate[] peerCerts = certificates(chain);
final ReferenceCountedOpenSslEngine engine = engineMap.get(ssl);
try {
verify(engine, peerCerts, auth);
return CertificateVerifier.X509_V_OK;
} catch (Throwable cause) {
logger.debug("verification of certificate failed", cause);
SSLHandshakeException e = new SSLHandshakeException("General OpenSslEngine problem");
e.initCause(cause);
engine.handshakeException = e;
if (cause instanceof OpenSslCertificateException) {
return ((OpenSslCertificateException) cause).errorCode();
}
if (cause instanceof CertificateExpiredException) {
return CertificateVerifier.X509_V_ERR_CERT_HAS_EXPIRED;
}
if (cause instanceof CertificateNotYetValidException) {
return CertificateVerifier.X509_V_ERR_CERT_NOT_YET_VALID;
}
if (PlatformDependent.javaVersion() >= 7 && cause instanceof CertificateRevokedException) {
return CertificateVerifier.X509_V_ERR_CERT_REVOKED;
}
return CertificateVerifier.X509_V_ERR_UNSPECIFIED;
}
}
abstract void verify(ReferenceCountedOpenSslEngine engine, X509Certificate[] peerCerts,
String auth) throws Exception;
}
private static final class DefaultOpenSslEngineMap implements OpenSslEngineMap {
private final Map<Long, ReferenceCountedOpenSslEngine> engines = PlatformDependent.newConcurrentHashMap();
@Override
public ReferenceCountedOpenSslEngine remove(long ssl) {
return engines.remove(ssl);
}
@Override
public void add(ReferenceCountedOpenSslEngine engine) {
engines.put(engine.sslPointer(), engine);
}
@Override
public ReferenceCountedOpenSslEngine get(long ssl) {
return engines.get(ssl);
}
}
static void setKeyMaterial(long ctx, X509Certificate[] keyCertChain, PrivateKey key, String keyPassword)
throws SSLException {
/* Load the certificate file and private key. */
long keyBio = 0;
long keyCertChainBio = 0;
try {
keyCertChainBio = toBIO(keyCertChain);
keyBio = toBIO(key);
SSLContext.setCertificateBio(
ctx, keyCertChainBio, keyBio,
keyPassword == null ? StringUtil.EMPTY_STRING : keyPassword, SSL.SSL_AIDX_RSA);
// We may have more then one cert in the chain so add all of them now.
SSLContext.setCertificateChainBio(ctx, keyCertChainBio, false);
} catch (SSLException e) {
throw e;
} catch (Exception e) {
throw new SSLException("failed to set certificate and key", e);
} finally {
if (keyBio != 0) {
SSL.freeBIO(keyBio);
}
if (keyCertChainBio != 0) {
SSL.freeBIO(keyCertChainBio);
}
}
}
/**
* Return the pointer to a <a href="https://www.openssl.org/docs/crypto/BIO_get_mem_ptr.html">in-memory BIO</a>
* or {@code 0} if the {@code key} is {@code null}. The BIO contains the content of the {@code key}.
*/
static long toBIO(PrivateKey key) throws Exception {
if (key == null) {
return 0;
}
ByteBufAllocator allocator = ByteBufAllocator.DEFAULT;
PemEncoded pem = PemPrivateKey.toPEM(allocator, true, key);
try {
return toBIO(allocator, pem.retain());
} finally {
pem.release();
}
}
/**
* Return the pointer to a <a href="https://www.openssl.org/docs/crypto/BIO_get_mem_ptr.html">in-memory BIO</a>
* or {@code 0} if the {@code certChain} is {@code null}. The BIO contains the content of the {@code certChain}.
*/
static long toBIO(X509Certificate... certChain) throws Exception {
if (certChain == null) {
return 0;
}
if (certChain.length == 0) {
throw new IllegalArgumentException("certChain can't be empty");
}
ByteBufAllocator allocator = ByteBufAllocator.DEFAULT;
PemEncoded pem = PemX509Certificate.toPEM(allocator, true, certChain);
try {
return toBIO(allocator, pem.retain());
} finally {
pem.release();
}
}
private static long toBIO(ByteBufAllocator allocator, PemEncoded pem) throws Exception {
try {
// We can turn direct buffers straight into BIOs. No need to
// make a yet another copy.
ByteBuf content = pem.content();
if (content.isDirect()) {
return newBIO(content.retainedSlice());
}
ByteBuf buffer = allocator.directBuffer(content.readableBytes());
try {
buffer.writeBytes(content, content.readerIndex(), content.readableBytes());
return newBIO(buffer.retainedSlice());
} finally {
try {
// If the contents of the ByteBuf is sensitive (e.g. a PrivateKey) we
// need to zero out the bytes of the copy before we're releasing it.
if (pem.isSensitive()) {
SslUtils.zeroout(buffer);
}
} finally {
buffer.release();
}
}
} finally {
pem.release();
}
}
private static long newBIO(ByteBuf buffer) throws Exception {
try {
long bio = SSL.newMemBIO();
int readable = buffer.readableBytes();
if (SSL.writeToBIO(bio, OpenSsl.memoryAddress(buffer) + buffer.readerIndex(), readable) != readable) {
SSL.freeBIO(bio);
throw new IllegalStateException("Could not write data to memory BIO");
}
return bio;
} finally {
buffer.release();
}
}
}

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,191 @@
/*
* Copyright 2016 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package io.netty.handler.ssl;
import org.apache.tomcat.jni.SSL;
import org.apache.tomcat.jni.SSLContext;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import static io.netty.util.internal.ObjectUtil.checkNotNull;
/**
* A server-side {@link SslContext} which uses OpenSSL's SSL/TLS implementation.
* <p>Instances of this class must be {@link #release() released} or else native memory will leak!
*/
public final class ReferenceCountedOpenSslServerContext extends ReferenceCountedOpenSslContext {
private static final byte[] ID = new byte[] {'n', 'e', 't', 't', 'y'};
private final OpenSslServerSessionContext sessionContext;
private final OpenSslKeyMaterialManager keyMaterialManager;
ReferenceCountedOpenSslServerContext(
X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
long sessionCacheSize, long sessionTimeout, ClientAuth clientAuth) throws SSLException {
this(trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword, keyManagerFactory, ciphers,
cipherFilter, toNegotiator(apn), sessionCacheSize, sessionTimeout, clientAuth);
}
private ReferenceCountedOpenSslServerContext(
X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
Iterable<String> ciphers, CipherSuiteFilter cipherFilter, OpenSslApplicationProtocolNegotiator apn,
long sessionCacheSize, long sessionTimeout, ClientAuth clientAuth) throws SSLException {
super(ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout, SSL.SSL_MODE_SERVER, keyCertChain,
clientAuth, true);
// Create a new SSL_CTX and configure it.
boolean success = false;
try {
ServerContext context = newSessionContext(this, ctx, engineMap, trustCertCollection, trustManagerFactory,
keyCertChain, key, keyPassword, keyManagerFactory);
sessionContext = context.sessionContext;
keyMaterialManager = context.keyMaterialManager;
success = true;
} finally {
if (!success) {
release();
}
}
}
@Override
public OpenSslServerSessionContext sessionContext() {
return sessionContext;
}
@Override
OpenSslKeyMaterialManager keyMaterialManager() {
return keyMaterialManager;
}
static final class ServerContext {
OpenSslServerSessionContext sessionContext;
OpenSslKeyMaterialManager keyMaterialManager;
}
static ServerContext newSessionContext(ReferenceCountedOpenSslContext thiz, long ctx, OpenSslEngineMap engineMap,
X509Certificate[] trustCertCollection,
TrustManagerFactory trustManagerFactory,
X509Certificate[] keyCertChain, PrivateKey key,
String keyPassword, KeyManagerFactory keyManagerFactory)
throws SSLException {
ServerContext result = new ServerContext();
synchronized (ReferenceCountedOpenSslContext.class) {
try {
SSLContext.setVerify(ctx, SSL.SSL_CVERIFY_NONE, VERIFY_DEPTH);
if (!OpenSsl.useKeyManagerFactory()) {
if (keyManagerFactory != null) {
throw new IllegalArgumentException(
"KeyManagerFactory not supported");
}
checkNotNull(keyCertChain, "keyCertChain");
/* Set certificate verification policy. */
SSLContext.setVerify(ctx, SSL.SSL_CVERIFY_NONE, VERIFY_DEPTH);
setKeyMaterial(ctx, keyCertChain, key, keyPassword);
} else {
// javadocs state that keyManagerFactory has precedent over keyCertChain, and we must have a
// keyManagerFactory for the server so build one if it is not specified.
if (keyManagerFactory == null) {
keyManagerFactory = buildKeyManagerFactory(
keyCertChain, key, keyPassword, keyManagerFactory);
}
X509KeyManager keyManager = chooseX509KeyManager(keyManagerFactory.getKeyManagers());
result.keyMaterialManager = useExtendedKeyManager(keyManager) ?
new OpenSslExtendedKeyMaterialManager(
(X509ExtendedKeyManager) keyManager, keyPassword) :
new OpenSslKeyMaterialManager(keyManager, keyPassword);
}
} catch (Exception e) {
throw new SSLException("failed to set certificate and key", e);
}
try {
if (trustCertCollection != null) {
trustManagerFactory = buildTrustManagerFactory(trustCertCollection, trustManagerFactory);
} else if (trustManagerFactory == null) {
// Mimic the way SSLContext.getInstance(KeyManager[], null, null) works
trustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
}
final X509TrustManager manager = chooseTrustManager(trustManagerFactory.getTrustManagers());
// IMPORTANT: The callbacks set for verification must be static to prevent memory leak as
// otherwise the context can never be collected. This is because the JNI code holds
// a global reference to the callbacks.
//
// See https://github.com/netty/netty/issues/5372
// Use this to prevent an error when running on java < 7
if (useExtendedTrustManager(manager)) {
SSLContext.setCertVerifyCallback(ctx,
new ExtendedTrustManagerVerifyCallback(engineMap, (X509ExtendedTrustManager) manager));
} else {
SSLContext.setCertVerifyCallback(ctx, new TrustManagerVerifyCallback(engineMap, manager));
}
} catch (Exception e) {
throw new SSLException("unable to setup trustmanager", e);
}
}
result.sessionContext = new OpenSslServerSessionContext(thiz);
result.sessionContext.setSessionIdContext(ID);
return result;
}
private static final class TrustManagerVerifyCallback extends AbstractCertificateVerifier {
private final X509TrustManager manager;
TrustManagerVerifyCallback(OpenSslEngineMap engineMap, X509TrustManager manager) {
super(engineMap);
this.manager = manager;
}
@Override
void verify(ReferenceCountedOpenSslEngine engine, X509Certificate[] peerCerts, String auth)
throws Exception {
manager.checkClientTrusted(peerCerts, auth);
}
}
private static final class ExtendedTrustManagerVerifyCallback extends AbstractCertificateVerifier {
private final X509ExtendedTrustManager manager;
ExtendedTrustManagerVerifyCallback(OpenSslEngineMap engineMap, X509ExtendedTrustManager manager) {
super(engineMap);
this.manager = manager;
}
@Override
void verify(ReferenceCountedOpenSslEngine engine, X509Certificate[] peerCerts, String auth)
throws Exception {
manager.checkClientTrusted(peerCerts, auth, engine);
}
}
}

View File

@ -396,8 +396,7 @@ public abstract class SslContext {
X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory, X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory, X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn, Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
long sessionCacheSize, long sessionTimeout, long sessionCacheSize, long sessionTimeout, ClientAuth clientAuth) throws SSLException {
ClientAuth clientAuth) throws SSLException {
if (provider == null) { if (provider == null) {
provider = defaultServerProvider(); provider = defaultServerProvider();
@ -414,6 +413,11 @@ public abstract class SslContext {
trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword, trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword,
keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout, keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout,
clientAuth); clientAuth);
case OPENSSL_REFCNT:
return new ReferenceCountedOpenSslServerContext(
trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword,
keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout,
clientAuth);
default: default:
throw new Error(provider.toString()); throw new Error(provider.toString());
} }
@ -749,9 +753,13 @@ public abstract class SslContext {
return new OpenSslClientContext( return new OpenSslClientContext(
trustCert, trustManagerFactory, keyCertChain, key, keyPassword, trustCert, trustManagerFactory, keyCertChain, key, keyPassword,
keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout); keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
case OPENSSL_REFCNT:
return new ReferenceCountedOpenSslClientContext(
trustCert, trustManagerFactory, keyCertChain, key, keyPassword,
keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
default:
throw new Error(provider.toString());
} }
// Should never happen!!
throw new Error();
} }
static ApplicationProtocolConfig toApplicationProtocolConfig(Iterable<String> nextProtocols) { static ApplicationProtocolConfig toApplicationProtocolConfig(Iterable<String> nextProtocols) {
@ -813,14 +821,17 @@ public abstract class SslContext {
/** /**
* Creates a new {@link SSLEngine}. * Creates a new {@link SSLEngine}.
* * <p>If {@link SslProvider#OPENSSL_REFCNT} is used then the object must be released. One way to do this is to
* wrap in a {@link SslHandler} and insert it into a pipeline. See {@link #newHandler(ByteBufAllocator)}.
* @return a new {@link SSLEngine} * @return a new {@link SSLEngine}
*/ */
public abstract SSLEngine newEngine(ByteBufAllocator alloc); public abstract SSLEngine newEngine(ByteBufAllocator alloc);
/** /**
* Creates a new {@link SSLEngine} using advisory peer information. * Creates a new {@link SSLEngine} using advisory peer information.
* * <p>If {@link SslProvider#OPENSSL_REFCNT} is used then the object must be released. One way to do this is to
* wrap in a {@link SslHandler} and insert it into a pipeline.
* See {@link #newHandler(ByteBufAllocator, String, int)}.
* @param peerHost the non-authoritative name of the host * @param peerHost the non-authoritative name of the host
* @param peerPort the non-authoritative port * @param peerPort the non-authoritative port
* *
@ -835,7 +846,9 @@ public abstract class SslContext {
/** /**
* Creates a new {@link SslHandler}. * Creates a new {@link SslHandler}.
* * <p>If {@link SslProvider#OPENSSL_REFCNT} is used then the returned {@link SslHandler} will release the engine
* that is wrapped. If the returned {@link SslHandler} is not inserted into a pipeline then you may leak native
* memory!
* @return a new {@link SslHandler} * @return a new {@link SslHandler}
*/ */
public final SslHandler newHandler(ByteBufAllocator alloc) { public final SslHandler newHandler(ByteBufAllocator alloc) {
@ -844,7 +857,9 @@ public abstract class SslContext {
/** /**
* Creates a new {@link SslHandler} with advisory peer information. * Creates a new {@link SslHandler} with advisory peer information.
* * <p>If {@link SslProvider#OPENSSL_REFCNT} is used then the returned {@link SslHandler} will release the engine
* that is wrapped. If the returned {@link SslHandler} is not inserted into a pipeline then you may leak native
* memory!
* @param peerHost the non-authoritative name of the host * @param peerHost the non-authoritative name of the host
* @param peerPort the non-authoritative port * @param peerPort the non-authoritative port
* *

View File

@ -385,6 +385,8 @@ public final class SslContextBuilder {
/** /**
* Create new {@code SslContext} instance with configured settings. * Create new {@code SslContext} instance with configured settings.
* <p>If {@link #sslProvider(SslProvider)} is set to {@link SslProvider#OPENSSL_REFCNT} then the caller is
* responsible for releasing this object, or else native memory may leak.
*/ */
public SslContext build() throws SSLException { public SslContext build() throws SSLException {
if (forServer) { if (forServer) {

View File

@ -421,9 +421,8 @@ public class SslHandler extends ByteToMessageDecoder implements ChannelOutboundH
// Check if queue is not empty first because create a new ChannelException is expensive // Check if queue is not empty first because create a new ChannelException is expensive
pendingUnencryptedWrites.removeAndFailAll(new ChannelException("Pending write on removal of SslHandler")); pendingUnencryptedWrites.removeAndFailAll(new ChannelException("Pending write on removal of SslHandler"));
} }
if (engine instanceof OpenSslEngine) { if (engine instanceof ReferenceCountedOpenSslEngine) {
// Call shutdown so we ensure all the native memory is released asap ((ReferenceCountedOpenSslEngine) engine).release();
((OpenSslEngine) engine).shutdown();
} }
} }

View File

@ -16,6 +16,9 @@
package io.netty.handler.ssl; package io.netty.handler.ssl;
import io.netty.util.ReferenceCounted;
import io.netty.util.internal.UnstableApi;
/** /**
* An enumeration of SSL/TLS protocol providers. * An enumeration of SSL/TLS protocol providers.
*/ */
@ -27,5 +30,10 @@ public enum SslProvider {
/** /**
* OpenSSL-based implementation. * OpenSSL-based implementation.
*/ */
OPENSSL OPENSSL,
/**
* OpenSSL-based implementation which does not have finalizers and instead implements {@link ReferenceCounted}.
*/
@UnstableApi
OPENSSL_REFCNT
} }

View File

@ -21,6 +21,7 @@ import io.netty.handler.ssl.ApplicationProtocolConfig.SelectedListenerFailureBeh
import io.netty.handler.ssl.ApplicationProtocolConfig.SelectorFailureBehavior; import io.netty.handler.ssl.ApplicationProtocolConfig.SelectorFailureBehavior;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory; import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import io.netty.handler.ssl.util.SelfSignedCertificate; import io.netty.handler.ssl.util.SelfSignedCertificate;
import io.netty.util.ReferenceCountUtil;
import io.netty.util.internal.ThreadLocalRandom; import io.netty.util.internal.ThreadLocalRandom;
import org.junit.BeforeClass; import org.junit.BeforeClass;
import org.junit.Test; import org.junit.Test;
@ -79,26 +80,33 @@ public class OpenSslEngineTest extends SSLEngineTest {
} }
@Test @Test
public void testWrapHeapBuffersNoWritePendingError() throws Exception { public void testWrapHeapBuffersNoWritePendingError() throws Exception {
final SslContext clientContext = SslContextBuilder.forClient() clientSslCtx = SslContextBuilder.forClient()
.trustManager(InsecureTrustManagerFactory.INSTANCE) .trustManager(InsecureTrustManagerFactory.INSTANCE)
.sslProvider(sslProvider()) .sslProvider(sslProvider())
.build(); .build();
SelfSignedCertificate ssc = new SelfSignedCertificate(); SelfSignedCertificate ssc = new SelfSignedCertificate();
SslContext serverContext = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()) serverSslCtx = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
.sslProvider(sslProvider()) .sslProvider(sslProvider())
.build(); .build();
SSLEngine clientEngine = clientContext.newEngine(UnpooledByteBufAllocator.DEFAULT); SSLEngine clientEngine = null;
SSLEngine serverEngine = serverContext.newEngine(UnpooledByteBufAllocator.DEFAULT); SSLEngine serverEngine = null;
handshake(clientEngine, serverEngine); try {
clientEngine = clientSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);
serverEngine = serverSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);
handshake(clientEngine, serverEngine);
ByteBuffer src = ByteBuffer.allocate(1024 * 10); ByteBuffer src = ByteBuffer.allocate(1024 * 10);
ThreadLocalRandom.current().nextBytes(src.array()); ThreadLocalRandom.current().nextBytes(src.array());
ByteBuffer dst = ByteBuffer.allocate(1); ByteBuffer dst = ByteBuffer.allocate(1);
// Try to wrap multiple times so we are more likely to hit the issue. // Try to wrap multiple times so we are more likely to hit the issue.
for (int i = 0; i < 100; i++) { for (int i = 0; i < 100; i++) {
src.position(0); src.position(0);
dst.position(0); dst.position(0);
assertSame(SSLEngineResult.Status.BUFFER_OVERFLOW, clientEngine.wrap(src, dst).getStatus()); assertSame(SSLEngineResult.Status.BUFFER_OVERFLOW, clientEngine.wrap(src, dst).getStatus());
}
} finally {
cleanupSslEngine(clientEngine);
cleanupSslEngine(serverEngine);
} }
} }

View File

@ -0,0 +1,37 @@
/*
* Copyright 2016 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package io.netty.handler.ssl;
import io.netty.util.ReferenceCountUtil;
import javax.net.ssl.SSLEngine;
public class ReferenceCountedOpenSslEngineTest extends OpenSslEngineTest {
@Override
protected SslProvider sslProvider() {
return SslProvider.OPENSSL_REFCNT;
}
@Override
protected void cleanupSslContext(SslContext ctx) {
ReferenceCountUtil.release(ctx);
}
@Override
protected void cleanupSslEngine(SSLEngine engine) {
ReferenceCountUtil.release(engine);
}
}

View File

@ -130,6 +130,14 @@ public abstract class SSLEngineTest {
serverChannel.close().sync(); serverChannel.close().sync();
serverChannel = null; serverChannel = null;
} }
if (serverSslCtx != null) {
cleanupSslContext(serverSslCtx);
serverSslCtx = null;
}
if (clientSslCtx != null) {
cleanupSslContext(clientSslCtx);
clientSslCtx = null;
}
Future<?> serverGroupShutdownFuture = null; Future<?> serverGroupShutdownFuture = null;
Future<?> serverChildGroupShutdownFuture = null; Future<?> serverChildGroupShutdownFuture = null;
Future<?> clientGroupShutdownFuture = null; Future<?> clientGroupShutdownFuture = null;
@ -333,54 +341,73 @@ public abstract class SSLEngineTest {
@Test @Test
public void testGetCreationTime() throws Exception { public void testGetCreationTime() throws Exception {
SslContext context = SslContextBuilder.forClient().sslProvider(sslProvider()).build(); clientSslCtx = SslContextBuilder.forClient().sslProvider(sslProvider()).build();
SSLEngine engine = context.newEngine(UnpooledByteBufAllocator.DEFAULT); SSLEngine engine = null;
assertTrue(engine.getSession().getCreationTime() <= System.currentTimeMillis()); try {
engine = clientSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);
assertTrue(engine.getSession().getCreationTime() <= System.currentTimeMillis());
} finally {
cleanupSslEngine(engine);
}
} }
@Test @Test
public void testSessionInvalidate() throws Exception { public void testSessionInvalidate() throws Exception {
final SslContext clientContext = SslContextBuilder.forClient() clientSslCtx = SslContextBuilder.forClient()
.trustManager(InsecureTrustManagerFactory.INSTANCE) .trustManager(InsecureTrustManagerFactory.INSTANCE)
.sslProvider(sslProvider()) .sslProvider(sslProvider())
.build(); .build();
SelfSignedCertificate ssc = new SelfSignedCertificate(); SelfSignedCertificate ssc = new SelfSignedCertificate();
SslContext serverContext = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()) serverSslCtx = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
.sslProvider(sslProvider()) .sslProvider(sslProvider())
.build(); .build();
SSLEngine clientEngine = clientContext.newEngine(UnpooledByteBufAllocator.DEFAULT); SSLEngine clientEngine = null;
SSLEngine serverEngine = serverContext.newEngine(UnpooledByteBufAllocator.DEFAULT); SSLEngine serverEngine = null;
handshake(clientEngine, serverEngine); try {
clientEngine = clientSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);
serverEngine = serverSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);
handshake(clientEngine, serverEngine);
SSLSession session = serverEngine.getSession(); SSLSession session = serverEngine.getSession();
assertTrue(session.isValid()); assertTrue(session.isValid());
session.invalidate(); session.invalidate();
assertFalse(session.isValid()); assertFalse(session.isValid());
} finally {
cleanupSslEngine(clientEngine);
cleanupSslEngine(serverEngine);
}
} }
@Test @Test
public void testSSLSessionId() throws Exception { public void testSSLSessionId() throws Exception {
final SslContext clientContext = SslContextBuilder.forClient() clientSslCtx = SslContextBuilder.forClient()
.trustManager(InsecureTrustManagerFactory.INSTANCE) .trustManager(InsecureTrustManagerFactory.INSTANCE)
.sslProvider(sslProvider()) .sslProvider(sslProvider())
.build(); .build();
SelfSignedCertificate ssc = new SelfSignedCertificate(); SelfSignedCertificate ssc = new SelfSignedCertificate();
SslContext serverContext = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()) serverSslCtx = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
.sslProvider(sslProvider()) .sslProvider(sslProvider())
.build(); .build();
SSLEngine clientEngine = clientContext.newEngine(UnpooledByteBufAllocator.DEFAULT); SSLEngine clientEngine = null;
SSLEngine serverEngine = serverContext.newEngine(UnpooledByteBufAllocator.DEFAULT); SSLEngine serverEngine = null;
try {
clientEngine = clientSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);
serverEngine = serverSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);
// Before the handshake the id should have length == 0 // Before the handshake the id should have length == 0
assertEquals(0, clientEngine.getSession().getId().length); assertEquals(0, clientEngine.getSession().getId().length);
assertEquals(0, serverEngine.getSession().getId().length); assertEquals(0, serverEngine.getSession().getId().length);
handshake(clientEngine, serverEngine); handshake(clientEngine, serverEngine);
// After the handshake the id should have length > 0 // After the handshake the id should have length > 0
assertNotEquals(0, clientEngine.getSession().getId().length); assertNotEquals(0, clientEngine.getSession().getId().length);
assertNotEquals(0, serverEngine.getSession().getId().length); assertNotEquals(0, serverEngine.getSession().getId().length);
assertArrayEquals(clientEngine.getSession().getId(), serverEngine.getSession().getId()); assertArrayEquals(clientEngine.getSession().getId(), serverEngine.getSession().getId());
} finally {
cleanupSslEngine(clientEngine);
cleanupSslEngine(serverEngine);
}
} }
@Test(timeout = 3000) @Test(timeout = 3000)
@ -493,11 +520,11 @@ public abstract class SSLEngineTest {
try { try {
File serverKeyFile = new File(getClass().getResource("test_unencrypted.pem").getFile()); File serverKeyFile = new File(getClass().getResource("test_unencrypted.pem").getFile());
File serverCrtFile = new File(getClass().getResource("test.crt").getFile()); File serverCrtFile = new File(getClass().getResource("test.crt").getFile());
SslContext sslContext = SslContextBuilder.forServer(serverCrtFile, serverKeyFile) serverSslCtx = SslContextBuilder.forServer(serverCrtFile, serverKeyFile)
.sslProvider(sslProvider()) .sslProvider(sslProvider())
.build(); .build();
sslEngine = sslContext.newEngine(UnpooledByteBufAllocator.DEFAULT); sslEngine = serverSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);
// Disable all protocols // Disable all protocols
sslEngine.setEnabledProtocols(new String[]{}); sslEngine.setEnabledProtocols(new String[]{});
@ -518,6 +545,7 @@ public abstract class SSLEngineTest {
if (sslEngine != null) { if (sslEngine != null) {
sslEngine.closeInbound(); sslEngine.closeInbound();
sslEngine.closeOutbound(); sslEngine.closeOutbound();
cleanupSslEngine(sslEngine);
} }
} }
} }
@ -575,6 +603,18 @@ public abstract class SSLEngineTest {
protected abstract SslProvider sslProvider(); protected abstract SslProvider sslProvider();
/**
* Called from the test cleanup code and can be used to release the {@code ctx} if it must be done manually.
*/
protected void cleanupSslContext(SslContext ctx) {
}
/**
* Called when ever an SSLEngine is not wrapped by a {@link SslHandler} and inserted into a pipeline.
*/
protected void cleanupSslEngine(SSLEngine engine) {
}
protected void setupHandlers(ApplicationProtocolConfig apn) throws InterruptedException, SSLException, protected void setupHandlers(ApplicationProtocolConfig apn) throws InterruptedException, SSLException,
CertificateException { CertificateException {
setupHandlers(apn, apn); setupHandlers(apn, apn);