OpenSslEngine with no finalizer
Motivation: OpenSslEngine and OpenSslContext currently rely on finalizers to ensure that native resources are cleaned up. Finalizers require the GC to do extra work, and this extra work can be avoided if the user instead takes responsibility of releasing the native resources. Modifications: - Make a base class for OpenSslENgine and OpenSslContext which does not have a finalizer but instead implements ReferenceCounted. If this engine is inserted into the pipeline it will be released by the SslHandler - Add a new SslProvider which can be used to enable this new feature Result: Users can opt-in to a finalizer free OpenSslEngine and OpenSslContext. Fixes https://github.com/netty/netty/issues/4958
This commit is contained in:
parent
3fa8f31055
commit
7d774584c8
@ -15,34 +15,25 @@
|
||||
*/
|
||||
package io.netty.handler.ssl;
|
||||
|
||||
import io.netty.util.internal.logging.InternalLogger;
|
||||
import io.netty.util.internal.logging.InternalLoggerFactory;
|
||||
import org.apache.tomcat.jni.CertificateRequestedCallback;
|
||||
import org.apache.tomcat.jni.SSL;
|
||||
import org.apache.tomcat.jni.SSLContext;
|
||||
|
||||
import java.io.File;
|
||||
import java.security.PrivateKey;
|
||||
import java.security.cert.X509Certificate;
|
||||
|
||||
import javax.net.ssl.KeyManagerFactory;
|
||||
import javax.net.ssl.SSLException;
|
||||
import javax.net.ssl.SSLHandshakeException;
|
||||
import javax.net.ssl.TrustManager;
|
||||
import javax.net.ssl.TrustManagerFactory;
|
||||
import javax.net.ssl.X509ExtendedKeyManager;
|
||||
import javax.net.ssl.X509ExtendedTrustManager;
|
||||
import javax.net.ssl.X509KeyManager;
|
||||
import javax.net.ssl.X509TrustManager;
|
||||
import javax.security.auth.x500.X500Principal;
|
||||
import java.io.File;
|
||||
import java.security.KeyStore;
|
||||
import java.security.PrivateKey;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import static io.netty.handler.ssl.ReferenceCountedOpenSslClientContext.newSessionContext;
|
||||
|
||||
/**
|
||||
* A client-side {@link SslContext} which uses OpenSSL's SSL/TLS implementation.
|
||||
* <p>This class will use a finalizer to ensure native resources are automatically cleaned up. To avoid finalizers
|
||||
* and manually release the native memory see {@link ReferenceCountedOpenSslClientContext}.
|
||||
*/
|
||||
public final class OpenSslClientContext extends OpenSslContext {
|
||||
private static final InternalLogger logger = InternalLoggerFactory.getInstance(OpenSslClientContext.class);
|
||||
private final OpenSslSessionContext sessionContext;
|
||||
|
||||
/**
|
||||
@ -187,7 +178,6 @@ public final class OpenSslClientContext extends OpenSslContext {
|
||||
keyPassword, keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
|
||||
}
|
||||
|
||||
@SuppressWarnings("deprecation")
|
||||
OpenSslClientContext(X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
|
||||
X509Certificate[] keyCertChain, PrivateKey key, String keyPassword,
|
||||
KeyManagerFactory keyManagerFactory, Iterable<String> ciphers,
|
||||
@ -198,73 +188,12 @@ public final class OpenSslClientContext extends OpenSslContext {
|
||||
ClientAuth.NONE);
|
||||
boolean success = false;
|
||||
try {
|
||||
if (key == null && keyCertChain != null || key != null && keyCertChain == null) {
|
||||
throw new IllegalArgumentException(
|
||||
"Either both keyCertChain and key needs to be null or none of them");
|
||||
}
|
||||
synchronized (OpenSslContext.class) {
|
||||
try {
|
||||
if (!OpenSsl.useKeyManagerFactory()) {
|
||||
if (keyManagerFactory != null) {
|
||||
throw new IllegalArgumentException(
|
||||
"KeyManagerFactory not supported");
|
||||
}
|
||||
if (keyCertChain != null && key != null) {
|
||||
setKeyMaterial(ctx, keyCertChain, key, keyPassword);
|
||||
}
|
||||
} else {
|
||||
if (keyCertChain != null) {
|
||||
keyManagerFactory = buildKeyManagerFactory(
|
||||
sessionContext = newSessionContext(this, ctx, engineMap, trustCertCollection, trustManagerFactory,
|
||||
keyCertChain, key, keyPassword, keyManagerFactory);
|
||||
}
|
||||
if (keyManagerFactory != null) {
|
||||
X509KeyManager keyManager = chooseX509KeyManager(keyManagerFactory.getKeyManagers());
|
||||
OpenSslKeyMaterialManager materialManager = useExtendedKeyManager(keyManager) ?
|
||||
new OpenSslExtendedKeyMaterialManager(
|
||||
(X509ExtendedKeyManager) keyManager, keyPassword) :
|
||||
new OpenSslKeyMaterialManager(keyManager, keyPassword);
|
||||
SSLContext.setCertRequestedCallback(ctx, new OpenSslCertificateRequestedCallback(
|
||||
engineMap, materialManager));
|
||||
}
|
||||
}
|
||||
} catch (Exception e) {
|
||||
throw new SSLException("failed to set certificate and key", e);
|
||||
}
|
||||
|
||||
SSLContext.setVerify(ctx, SSL.SSL_VERIFY_NONE, VERIFY_DEPTH);
|
||||
|
||||
try {
|
||||
if (trustCertCollection != null) {
|
||||
trustManagerFactory = buildTrustManagerFactory(trustCertCollection, trustManagerFactory);
|
||||
} else if (trustManagerFactory == null) {
|
||||
trustManagerFactory = TrustManagerFactory.getInstance(
|
||||
TrustManagerFactory.getDefaultAlgorithm());
|
||||
trustManagerFactory.init((KeyStore) null);
|
||||
}
|
||||
final X509TrustManager manager = chooseTrustManager(trustManagerFactory.getTrustManagers());
|
||||
|
||||
// IMPORTANT: The callbacks set for verification must be static to prevent memory leak as
|
||||
// otherwise the context can never be collected. This is because the JNI code holds
|
||||
// a global reference to the callbacks.
|
||||
//
|
||||
// See https://github.com/netty/netty/issues/5372
|
||||
|
||||
// Use this to prevent an error when running on java < 7
|
||||
if (useExtendedTrustManager(manager)) {
|
||||
SSLContext.setCertVerifyCallback(ctx,
|
||||
new ExtendedTrustManagerVerifyCallback(engineMap, (X509ExtendedTrustManager) manager));
|
||||
} else {
|
||||
SSLContext.setCertVerifyCallback(ctx, new TrustManagerVerifyCallback(engineMap, manager));
|
||||
}
|
||||
} catch (Exception e) {
|
||||
throw new SSLException("unable to setup trustmanager", e);
|
||||
}
|
||||
}
|
||||
sessionContext = new OpenSslClientSessionContext(this);
|
||||
success = true;
|
||||
} finally {
|
||||
if (!success) {
|
||||
destroy();
|
||||
release();
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -278,148 +207,4 @@ public final class OpenSslClientContext extends OpenSslContext {
|
||||
OpenSslKeyMaterialManager keyMaterialManager() {
|
||||
return null;
|
||||
}
|
||||
|
||||
// No cache is currently supported for client side mode.
|
||||
private static final class OpenSslClientSessionContext extends OpenSslSessionContext {
|
||||
private OpenSslClientSessionContext(OpenSslContext context) {
|
||||
super(context);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void setSessionTimeout(int seconds) {
|
||||
if (seconds < 0) {
|
||||
throw new IllegalArgumentException();
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public int getSessionTimeout() {
|
||||
return 0;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void setSessionCacheSize(int size) {
|
||||
if (size < 0) {
|
||||
throw new IllegalArgumentException();
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public int getSessionCacheSize() {
|
||||
return 0;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void setSessionCacheEnabled(boolean enabled) {
|
||||
// ignored
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isSessionCacheEnabled() {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
private static final class TrustManagerVerifyCallback extends AbstractCertificateVerifier {
|
||||
private final X509TrustManager manager;
|
||||
|
||||
TrustManagerVerifyCallback(OpenSslEngineMap engineMap, X509TrustManager manager) {
|
||||
super(engineMap);
|
||||
this.manager = manager;
|
||||
}
|
||||
|
||||
@Override
|
||||
void verify(OpenSslEngine engine, X509Certificate[] peerCerts, String auth)
|
||||
throws Exception {
|
||||
manager.checkServerTrusted(peerCerts, auth);
|
||||
}
|
||||
}
|
||||
|
||||
private static final class ExtendedTrustManagerVerifyCallback extends AbstractCertificateVerifier {
|
||||
private final X509ExtendedTrustManager manager;
|
||||
|
||||
ExtendedTrustManagerVerifyCallback(OpenSslEngineMap engineMap, X509ExtendedTrustManager manager) {
|
||||
super(engineMap);
|
||||
this.manager = manager;
|
||||
}
|
||||
|
||||
@Override
|
||||
void verify(OpenSslEngine engine, X509Certificate[] peerCerts, String auth)
|
||||
throws Exception {
|
||||
manager.checkServerTrusted(peerCerts, auth, engine);
|
||||
}
|
||||
}
|
||||
|
||||
private static final class OpenSslCertificateRequestedCallback implements CertificateRequestedCallback {
|
||||
private final OpenSslEngineMap engineMap;
|
||||
private final OpenSslKeyMaterialManager keyManagerHolder;
|
||||
|
||||
OpenSslCertificateRequestedCallback(OpenSslEngineMap engineMap, OpenSslKeyMaterialManager keyManagerHolder) {
|
||||
this.engineMap = engineMap;
|
||||
this.keyManagerHolder = keyManagerHolder;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void requested(long ssl, byte[] keyTypeBytes, byte[][] asn1DerEncodedPrincipals) {
|
||||
final OpenSslEngine engine = engineMap.get(ssl);
|
||||
try {
|
||||
final Set<String> keyTypesSet = supportedClientKeyTypes(keyTypeBytes);
|
||||
final String[] keyTypes = keyTypesSet.toArray(new String[keyTypesSet.size()]);
|
||||
final X500Principal[] issuers;
|
||||
if (asn1DerEncodedPrincipals == null) {
|
||||
issuers = null;
|
||||
} else {
|
||||
issuers = new X500Principal[asn1DerEncodedPrincipals.length];
|
||||
for (int i = 0; i < asn1DerEncodedPrincipals.length; i++) {
|
||||
issuers[i] = new X500Principal(asn1DerEncodedPrincipals[i]);
|
||||
}
|
||||
}
|
||||
keyManagerHolder.setKeyMaterial(engine, keyTypes, issuers);
|
||||
} catch (Throwable cause) {
|
||||
logger.debug("request of key failed", cause);
|
||||
SSLHandshakeException e = new SSLHandshakeException("General OpenSslEngine problem");
|
||||
e.initCause(cause);
|
||||
engine.handshakeException = e;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the supported key types for client certificates.
|
||||
*
|
||||
* @param clientCertificateTypes {@code ClientCertificateType} values provided by the server.
|
||||
* See https://www.ietf.org/assignments/tls-parameters/tls-parameters.xml.
|
||||
* @return supported key types that can be used in {@code X509KeyManager.chooseClientAlias} and
|
||||
* {@code X509ExtendedKeyManager.chooseEngineClientAlias}.
|
||||
*/
|
||||
private static Set<String> supportedClientKeyTypes(byte[] clientCertificateTypes) {
|
||||
Set<String> result = new HashSet<String>(clientCertificateTypes.length);
|
||||
for (byte keyTypeCode : clientCertificateTypes) {
|
||||
String keyType = clientKeyType(keyTypeCode);
|
||||
if (keyType == null) {
|
||||
// Unsupported client key type -- ignore
|
||||
continue;
|
||||
}
|
||||
result.add(keyType);
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
private static String clientKeyType(byte clientCertificateType) {
|
||||
// See also http://www.ietf.org/assignments/tls-parameters/tls-parameters.xml
|
||||
switch (clientCertificateType) {
|
||||
case CertificateRequestedCallback.TLS_CT_RSA_SIGN:
|
||||
return OpenSslKeyMaterialManager.KEY_TYPE_RSA; // RFC rsa_sign
|
||||
case CertificateRequestedCallback.TLS_CT_RSA_FIXED_DH:
|
||||
return OpenSslKeyMaterialManager.KEY_TYPE_DH_RSA; // RFC rsa_fixed_dh
|
||||
case CertificateRequestedCallback.TLS_CT_ECDSA_SIGN:
|
||||
return OpenSslKeyMaterialManager.KEY_TYPE_EC; // RFC ecdsa_sign
|
||||
case CertificateRequestedCallback.TLS_CT_RSA_FIXED_ECDH:
|
||||
return OpenSslKeyMaterialManager.KEY_TYPE_EC_RSA; // RFC rsa_fixed_ecdh
|
||||
case CertificateRequestedCallback.TLS_CT_ECDSA_FIXED_ECDH:
|
||||
return OpenSslKeyMaterialManager.KEY_TYPE_EC_EC; // RFC ecdsa_fixed_ecdh
|
||||
default:
|
||||
return null;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -15,661 +15,46 @@
|
||||
*/
|
||||
package io.netty.handler.ssl;
|
||||
|
||||
import io.netty.buffer.ByteBuf;
|
||||
import io.netty.buffer.ByteBufAllocator;
|
||||
import io.netty.util.internal.PlatformDependent;
|
||||
import io.netty.util.internal.StringUtil;
|
||||
import io.netty.util.internal.SystemPropertyUtil;
|
||||
import io.netty.util.internal.logging.InternalLogger;
|
||||
import io.netty.util.internal.logging.InternalLoggerFactory;
|
||||
import org.apache.tomcat.jni.CertificateVerifier;
|
||||
import org.apache.tomcat.jni.Pool;
|
||||
import org.apache.tomcat.jni.SSL;
|
||||
import org.apache.tomcat.jni.SSLContext;
|
||||
|
||||
import javax.net.ssl.KeyManager;
|
||||
import java.security.cert.Certificate;
|
||||
|
||||
import javax.net.ssl.SSLEngine;
|
||||
import javax.net.ssl.SSLException;
|
||||
import javax.net.ssl.SSLHandshakeException;
|
||||
import javax.net.ssl.TrustManager;
|
||||
import javax.net.ssl.X509ExtendedKeyManager;
|
||||
import javax.net.ssl.X509ExtendedTrustManager;
|
||||
import javax.net.ssl.X509KeyManager;
|
||||
import javax.net.ssl.X509TrustManager;
|
||||
import java.security.AccessController;
|
||||
import java.security.PrivateKey;
|
||||
import java.security.PrivilegedAction;
|
||||
import java.security.cert.Certificate;
|
||||
import java.security.cert.CertificateExpiredException;
|
||||
import java.security.cert.CertificateNotYetValidException;
|
||||
import java.security.cert.CertificateRevokedException;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import static io.netty.util.internal.ObjectUtil.checkNotNull;
|
||||
import static io.netty.handler.ssl.ApplicationProtocolConfig.SelectorFailureBehavior;
|
||||
import static io.netty.handler.ssl.ApplicationProtocolConfig.SelectedListenerFailureBehavior;
|
||||
|
||||
public abstract class OpenSslContext extends SslContext {
|
||||
private static final InternalLogger logger = InternalLoggerFactory.getInstance(OpenSslContext.class);
|
||||
/**
|
||||
* To make it easier for users to replace JDK implemention with OpenSsl version we also use
|
||||
* {@code jdk.tls.rejectClientInitiatedRenegotiation} to allow disabling client initiated renegotiation.
|
||||
* Java8+ uses this system property as well.
|
||||
* <p>
|
||||
* See also <a href="http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html">
|
||||
* Significant SSL/TLS improvements in Java 8</a>
|
||||
*/
|
||||
private static final boolean JDK_REJECT_CLIENT_INITIATED_RENEGOTIATION =
|
||||
SystemPropertyUtil.getBoolean("jdk.tls.rejectClientInitiatedRenegotiation", false);
|
||||
private static final List<String> DEFAULT_CIPHERS;
|
||||
private static final Integer DH_KEY_LENGTH;
|
||||
|
||||
// TODO: Maybe make configurable ?
|
||||
protected static final int VERIFY_DEPTH = 10;
|
||||
import static io.netty.util.ReferenceCountUtil.safeRelease;
|
||||
|
||||
/**
|
||||
* The OpenSSL SSL_CTX object
|
||||
* This class will use a finalizer to ensure native resources are automatically cleaned up. To avoid finalizers
|
||||
* and manually release the native memory see {@link ReferenceCountedOpenSslContext}.
|
||||
*/
|
||||
protected volatile long ctx;
|
||||
long aprPool;
|
||||
@SuppressWarnings({ "unused", "FieldMayBeFinal" })
|
||||
private volatile int aprPoolDestroyed;
|
||||
private final List<String> unmodifiableCiphers;
|
||||
private final long sessionCacheSize;
|
||||
private final long sessionTimeout;
|
||||
private final OpenSslApplicationProtocolNegotiator apn;
|
||||
private final int mode;
|
||||
|
||||
final Certificate[] keyCertChain;
|
||||
final ClientAuth clientAuth;
|
||||
final OpenSslEngineMap engineMap = new DefaultOpenSslEngineMap();
|
||||
volatile boolean rejectRemoteInitiatedRenegotiation;
|
||||
|
||||
static final OpenSslApplicationProtocolNegotiator NONE_PROTOCOL_NEGOTIATOR =
|
||||
new OpenSslApplicationProtocolNegotiator() {
|
||||
@Override
|
||||
public ApplicationProtocolConfig.Protocol protocol() {
|
||||
return ApplicationProtocolConfig.Protocol.NONE;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<String> protocols() {
|
||||
return Collections.emptyList();
|
||||
}
|
||||
|
||||
@Override
|
||||
public SelectorFailureBehavior selectorFailureBehavior() {
|
||||
return SelectorFailureBehavior.CHOOSE_MY_LAST_PROTOCOL;
|
||||
}
|
||||
|
||||
@Override
|
||||
public SelectedListenerFailureBehavior selectedListenerFailureBehavior() {
|
||||
return SelectedListenerFailureBehavior.ACCEPT;
|
||||
}
|
||||
};
|
||||
|
||||
static {
|
||||
List<String> ciphers = new ArrayList<String>();
|
||||
// XXX: Make sure to sync this list with JdkSslEngineFactory.
|
||||
Collections.addAll(
|
||||
ciphers,
|
||||
"ECDHE-RSA-AES128-GCM-SHA256",
|
||||
"ECDHE-RSA-AES128-SHA",
|
||||
"ECDHE-RSA-AES256-SHA",
|
||||
"AES128-GCM-SHA256",
|
||||
"AES128-SHA",
|
||||
"AES256-SHA",
|
||||
"DES-CBC3-SHA");
|
||||
DEFAULT_CIPHERS = Collections.unmodifiableList(ciphers);
|
||||
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("Default cipher suite (OpenSSL): " + ciphers);
|
||||
}
|
||||
|
||||
Integer dhLen = null;
|
||||
|
||||
try {
|
||||
String dhKeySize = AccessController.doPrivileged(new PrivilegedAction<String>() {
|
||||
@Override
|
||||
public String run() {
|
||||
return SystemPropertyUtil.get("jdk.tls.ephemeralDHKeySize");
|
||||
}
|
||||
});
|
||||
if (dhKeySize != null) {
|
||||
try {
|
||||
dhLen = Integer.parseInt(dhKeySize);
|
||||
} catch (NumberFormatException e) {
|
||||
logger.debug("OpenSslContext only support -Djdk.tls.ephemeralDHKeySize={int}, but got: "
|
||||
+ dhKeySize);
|
||||
}
|
||||
}
|
||||
} catch (Throwable ignore) {
|
||||
// ignore
|
||||
}
|
||||
DH_KEY_LENGTH = dhLen;
|
||||
}
|
||||
|
||||
public abstract class OpenSslContext extends ReferenceCountedOpenSslContext {
|
||||
OpenSslContext(Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apnCfg,
|
||||
long sessionCacheSize, long sessionTimeout, int mode, Certificate[] keyCertChain,
|
||||
ClientAuth clientAuth)
|
||||
throws SSLException {
|
||||
this(ciphers, cipherFilter, toNegotiator(apnCfg), sessionCacheSize, sessionTimeout, mode, keyCertChain,
|
||||
clientAuth);
|
||||
super(ciphers, cipherFilter, apnCfg, sessionCacheSize, sessionTimeout, mode, keyCertChain,
|
||||
clientAuth, false);
|
||||
}
|
||||
|
||||
OpenSslContext(Iterable<String> ciphers, CipherSuiteFilter cipherFilter,
|
||||
OpenSslApplicationProtocolNegotiator apn, long sessionCacheSize,
|
||||
long sessionTimeout, int mode, Certificate[] keyCertChain,
|
||||
ClientAuth clientAuth) throws SSLException {
|
||||
OpenSsl.ensureAvailability();
|
||||
|
||||
if (mode != SSL.SSL_MODE_SERVER && mode != SSL.SSL_MODE_CLIENT) {
|
||||
throw new IllegalArgumentException("mode most be either SSL.SSL_MODE_SERVER or SSL.SSL_MODE_CLIENT");
|
||||
}
|
||||
this.mode = mode;
|
||||
this.clientAuth = isServer() ? checkNotNull(clientAuth, "clientAuth") : ClientAuth.NONE;
|
||||
|
||||
if (mode == SSL.SSL_MODE_SERVER) {
|
||||
rejectRemoteInitiatedRenegotiation =
|
||||
JDK_REJECT_CLIENT_INITIATED_RENEGOTIATION;
|
||||
}
|
||||
this.keyCertChain = keyCertChain == null ? null : keyCertChain.clone();
|
||||
final List<String> convertedCiphers;
|
||||
if (ciphers == null) {
|
||||
convertedCiphers = null;
|
||||
} else {
|
||||
convertedCiphers = new ArrayList<String>();
|
||||
for (String c : ciphers) {
|
||||
if (c == null) {
|
||||
break;
|
||||
}
|
||||
|
||||
String converted = CipherSuiteConverter.toOpenSsl(c);
|
||||
if (converted != null) {
|
||||
c = converted;
|
||||
}
|
||||
convertedCiphers.add(c);
|
||||
}
|
||||
}
|
||||
|
||||
unmodifiableCiphers = Arrays.asList(checkNotNull(cipherFilter, "cipherFilter").filterCipherSuites(
|
||||
convertedCiphers, DEFAULT_CIPHERS, OpenSsl.availableCipherSuites()));
|
||||
|
||||
this.apn = checkNotNull(apn, "apn");
|
||||
|
||||
// Allocate a new APR pool.
|
||||
aprPool = Pool.create(0);
|
||||
|
||||
// Create a new SSL_CTX and configure it.
|
||||
boolean success = false;
|
||||
try {
|
||||
synchronized (OpenSslContext.class) {
|
||||
try {
|
||||
ctx = SSLContext.make(aprPool, SSL.SSL_PROTOCOL_ALL, mode);
|
||||
} catch (Exception e) {
|
||||
throw new SSLException("failed to create an SSL_CTX", e);
|
||||
}
|
||||
|
||||
SSLContext.setOptions(ctx, SSL.SSL_OP_ALL);
|
||||
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SSLv2);
|
||||
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SSLv3);
|
||||
SSLContext.setOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
|
||||
SSLContext.setOptions(ctx, SSL.SSL_OP_SINGLE_ECDH_USE);
|
||||
SSLContext.setOptions(ctx, SSL.SSL_OP_SINGLE_DH_USE);
|
||||
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
|
||||
// Disable ticket support by default to be more inline with SSLEngineImpl of the JDK.
|
||||
// This also let SSLSession.getId() work the same way for the JDK implementation and the OpenSSLEngine.
|
||||
// If tickets are supported SSLSession.getId() will only return an ID on the server-side if it could
|
||||
// make use of tickets.
|
||||
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_TICKET);
|
||||
|
||||
// We need to enable SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER as the memory address may change between
|
||||
// calling OpenSSLEngine.wrap(...).
|
||||
// See https://github.com/netty/netty-tcnative/issues/100
|
||||
SSLContext.setMode(ctx, SSLContext.getMode(ctx) | SSL.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
|
||||
|
||||
if (DH_KEY_LENGTH != null) {
|
||||
SSLContext.setTmpDHLength(ctx, DH_KEY_LENGTH);
|
||||
}
|
||||
|
||||
/* List the ciphers that are permitted to negotiate. */
|
||||
try {
|
||||
SSLContext.setCipherSuite(ctx, CipherSuiteConverter.toOpenSsl(unmodifiableCiphers));
|
||||
} catch (SSLException e) {
|
||||
throw e;
|
||||
} catch (Exception e) {
|
||||
throw new SSLException("failed to set cipher suite: " + unmodifiableCiphers, e);
|
||||
}
|
||||
|
||||
List<String> nextProtoList = apn.protocols();
|
||||
/* Set next protocols for next protocol negotiation extension, if specified */
|
||||
if (!nextProtoList.isEmpty()) {
|
||||
String[] protocols = nextProtoList.toArray(new String[nextProtoList.size()]);
|
||||
int selectorBehavior = opensslSelectorFailureBehavior(apn.selectorFailureBehavior());
|
||||
|
||||
switch (apn.protocol()) {
|
||||
case NPN:
|
||||
SSLContext.setNpnProtos(ctx, protocols, selectorBehavior);
|
||||
break;
|
||||
case ALPN:
|
||||
SSLContext.setAlpnProtos(ctx, protocols, selectorBehavior);
|
||||
break;
|
||||
case NPN_AND_ALPN:
|
||||
SSLContext.setNpnProtos(ctx, protocols, selectorBehavior);
|
||||
SSLContext.setAlpnProtos(ctx, protocols, selectorBehavior);
|
||||
break;
|
||||
default:
|
||||
throw new Error();
|
||||
}
|
||||
}
|
||||
|
||||
/* Set session cache size, if specified */
|
||||
if (sessionCacheSize > 0) {
|
||||
this.sessionCacheSize = sessionCacheSize;
|
||||
SSLContext.setSessionCacheSize(ctx, sessionCacheSize);
|
||||
} else {
|
||||
// Get the default session cache size using SSLContext.setSessionCacheSize()
|
||||
this.sessionCacheSize = sessionCacheSize = SSLContext.setSessionCacheSize(ctx, 20480);
|
||||
// Revert the session cache size to the default value.
|
||||
SSLContext.setSessionCacheSize(ctx, sessionCacheSize);
|
||||
}
|
||||
|
||||
/* Set session timeout, if specified */
|
||||
if (sessionTimeout > 0) {
|
||||
this.sessionTimeout = sessionTimeout;
|
||||
SSLContext.setSessionCacheTimeout(ctx, sessionTimeout);
|
||||
} else {
|
||||
// Get the default session timeout using SSLContext.setSessionCacheTimeout()
|
||||
this.sessionTimeout = sessionTimeout = SSLContext.setSessionCacheTimeout(ctx, 300);
|
||||
// Revert the session timeout to the default value.
|
||||
SSLContext.setSessionCacheTimeout(ctx, sessionTimeout);
|
||||
}
|
||||
}
|
||||
success = true;
|
||||
} finally {
|
||||
if (!success) {
|
||||
destroy();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private static int opensslSelectorFailureBehavior(SelectorFailureBehavior behavior) {
|
||||
switch (behavior) {
|
||||
case NO_ADVERTISE:
|
||||
return SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE;
|
||||
case CHOOSE_MY_LAST_PROTOCOL:
|
||||
return SSL.SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL;
|
||||
default:
|
||||
throw new Error();
|
||||
}
|
||||
super(ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout, mode, keyCertChain, clientAuth, false);
|
||||
}
|
||||
|
||||
@Override
|
||||
public final List<String> cipherSuites() {
|
||||
return unmodifiableCiphers;
|
||||
}
|
||||
|
||||
@Override
|
||||
public final long sessionCacheSize() {
|
||||
return sessionCacheSize;
|
||||
}
|
||||
|
||||
@Override
|
||||
public final long sessionTimeout() {
|
||||
return sessionTimeout;
|
||||
}
|
||||
|
||||
@Override
|
||||
public ApplicationProtocolNegotiator applicationProtocolNegotiator() {
|
||||
return apn;
|
||||
}
|
||||
|
||||
@Override
|
||||
public final boolean isClient() {
|
||||
return mode == SSL.SSL_MODE_CLIENT;
|
||||
}
|
||||
|
||||
@Override
|
||||
public final SSLEngine newEngine(ByteBufAllocator alloc, String peerHost, int peerPort) {
|
||||
final SSLEngine newEngine0(ByteBufAllocator alloc, String peerHost, int peerPort) {
|
||||
return new OpenSslEngine(this, alloc, peerHost, peerPort);
|
||||
}
|
||||
|
||||
abstract OpenSslKeyMaterialManager keyMaterialManager();
|
||||
|
||||
/**
|
||||
* Returns a new server-side {@link SSLEngine} with the current configuration.
|
||||
*/
|
||||
@Override
|
||||
public final SSLEngine newEngine(ByteBufAllocator alloc) {
|
||||
return newEngine(alloc, null, -1);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the pointer to the {@code SSL_CTX} object for this {@link OpenSslContext}.
|
||||
* Be aware that it is freed as soon as the {@link #finalize()} method is called.
|
||||
* At this point {@code 0} will be returned.
|
||||
*
|
||||
* @deprecated use {@link #sslCtxPointer()}
|
||||
*/
|
||||
@Deprecated
|
||||
public final long context() {
|
||||
return ctx;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the stats of this context.
|
||||
*
|
||||
* @deprecated use {@link #sessionContext#stats()}
|
||||
*/
|
||||
@Deprecated
|
||||
public final OpenSslSessionStats stats() {
|
||||
return sessionContext().stats();
|
||||
}
|
||||
|
||||
/**
|
||||
* Specify if remote initiated renegotiation is supported or not. If not supported and the remote side tries
|
||||
* to initiate a renegotiation a {@link SSLHandshakeException} will be thrown during decoding.
|
||||
*/
|
||||
public void setRejectRemoteInitiatedRenegotiation(boolean rejectRemoteInitiatedRenegotiation) {
|
||||
this.rejectRemoteInitiatedRenegotiation = rejectRemoteInitiatedRenegotiation;
|
||||
}
|
||||
|
||||
@Override
|
||||
@SuppressWarnings("FinalizeDeclaration")
|
||||
protected final void finalize() throws Throwable {
|
||||
super.finalize();
|
||||
destroy();
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the SSL session ticket keys of this context.
|
||||
*
|
||||
* @deprecated use {@link OpenSslSessionContext#setTicketKeys(byte[])}
|
||||
*/
|
||||
@Deprecated
|
||||
public final void setTicketKeys(byte[] keys) {
|
||||
sessionContext().setTicketKeys(keys);
|
||||
}
|
||||
|
||||
@Override
|
||||
public abstract OpenSslSessionContext sessionContext();
|
||||
|
||||
/**
|
||||
* Returns the pointer to the {@code SSL_CTX} object for this {@link OpenSslContext}.
|
||||
* Be aware that it is freed as soon as the {@link #finalize()} method is called.
|
||||
* At this point {@code 0} will be returned.
|
||||
*/
|
||||
public final long sslCtxPointer() {
|
||||
return ctx;
|
||||
}
|
||||
|
||||
// IMPORTANT: This method must only be called from either the constructor or the finalizer as a user MUST never
|
||||
// get access to an OpenSslSessionContext after this method was called to prevent the user from
|
||||
// producing a segfault.
|
||||
final void destroy() {
|
||||
synchronized (OpenSslContext.class) {
|
||||
if (ctx != 0) {
|
||||
SSLContext.free(ctx);
|
||||
ctx = 0;
|
||||
}
|
||||
|
||||
// Guard against multiple destroyPools() calls triggered by construction exception and finalize() later
|
||||
if (aprPool != 0) {
|
||||
Pool.destroy(aprPool);
|
||||
aprPool = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
protected static X509Certificate[] certificates(byte[][] chain) {
|
||||
X509Certificate[] peerCerts = new X509Certificate[chain.length];
|
||||
for (int i = 0; i < peerCerts.length; i++) {
|
||||
peerCerts[i] = new OpenSslX509Certificate(chain[i]);
|
||||
}
|
||||
return peerCerts;
|
||||
}
|
||||
|
||||
protected static X509TrustManager chooseTrustManager(TrustManager[] managers) {
|
||||
for (TrustManager m : managers) {
|
||||
if (m instanceof X509TrustManager) {
|
||||
return (X509TrustManager) m;
|
||||
}
|
||||
}
|
||||
throw new IllegalStateException("no X509TrustManager found");
|
||||
}
|
||||
|
||||
protected static X509KeyManager chooseX509KeyManager(KeyManager[] kms) {
|
||||
for (KeyManager km : kms) {
|
||||
if (km instanceof X509KeyManager) {
|
||||
return (X509KeyManager) km;
|
||||
}
|
||||
}
|
||||
throw new IllegalStateException("no X509KeyManager found");
|
||||
}
|
||||
|
||||
/**
|
||||
* Translate a {@link ApplicationProtocolConfig} object to a
|
||||
* {@link OpenSslApplicationProtocolNegotiator} object.
|
||||
*
|
||||
* @param config The configuration which defines the translation
|
||||
* @return The results of the translation
|
||||
*/
|
||||
static OpenSslApplicationProtocolNegotiator toNegotiator(ApplicationProtocolConfig config) {
|
||||
if (config == null) {
|
||||
return NONE_PROTOCOL_NEGOTIATOR;
|
||||
}
|
||||
|
||||
switch (config.protocol()) {
|
||||
case NONE:
|
||||
return NONE_PROTOCOL_NEGOTIATOR;
|
||||
case ALPN:
|
||||
case NPN:
|
||||
case NPN_AND_ALPN:
|
||||
switch (config.selectedListenerFailureBehavior()) {
|
||||
case CHOOSE_MY_LAST_PROTOCOL:
|
||||
case ACCEPT:
|
||||
switch (config.selectorFailureBehavior()) {
|
||||
case CHOOSE_MY_LAST_PROTOCOL:
|
||||
case NO_ADVERTISE:
|
||||
return new OpenSslDefaultApplicationProtocolNegotiator(
|
||||
config);
|
||||
default:
|
||||
throw new UnsupportedOperationException(
|
||||
new StringBuilder("OpenSSL provider does not support ")
|
||||
.append(config.selectorFailureBehavior())
|
||||
.append(" behavior").toString());
|
||||
}
|
||||
default:
|
||||
throw new UnsupportedOperationException(
|
||||
new StringBuilder("OpenSSL provider does not support ")
|
||||
.append(config.selectedListenerFailureBehavior())
|
||||
.append(" behavior").toString());
|
||||
}
|
||||
default:
|
||||
throw new Error();
|
||||
}
|
||||
}
|
||||
|
||||
static boolean useExtendedTrustManager(X509TrustManager trustManager) {
|
||||
return PlatformDependent.javaVersion() >= 7 && trustManager instanceof X509ExtendedTrustManager;
|
||||
}
|
||||
|
||||
static boolean useExtendedKeyManager(X509KeyManager keyManager) {
|
||||
return PlatformDependent.javaVersion() >= 7 && keyManager instanceof X509ExtendedKeyManager;
|
||||
}
|
||||
|
||||
abstract static class AbstractCertificateVerifier implements CertificateVerifier {
|
||||
private final OpenSslEngineMap engineMap;
|
||||
|
||||
AbstractCertificateVerifier(OpenSslEngineMap engineMap) {
|
||||
this.engineMap = engineMap;
|
||||
}
|
||||
|
||||
@Override
|
||||
public final int verify(long ssl, byte[][] chain, String auth) {
|
||||
X509Certificate[] peerCerts = certificates(chain);
|
||||
final OpenSslEngine engine = engineMap.get(ssl);
|
||||
try {
|
||||
verify(engine, peerCerts, auth);
|
||||
return CertificateVerifier.X509_V_OK;
|
||||
} catch (Throwable cause) {
|
||||
logger.debug("verification of certificate failed", cause);
|
||||
SSLHandshakeException e = new SSLHandshakeException("General OpenSslEngine problem");
|
||||
e.initCause(cause);
|
||||
engine.handshakeException = e;
|
||||
|
||||
if (cause instanceof OpenSslCertificateException) {
|
||||
return ((OpenSslCertificateException) cause).errorCode();
|
||||
}
|
||||
if (cause instanceof CertificateExpiredException) {
|
||||
return CertificateVerifier.X509_V_ERR_CERT_HAS_EXPIRED;
|
||||
}
|
||||
if (cause instanceof CertificateNotYetValidException) {
|
||||
return CertificateVerifier.X509_V_ERR_CERT_NOT_YET_VALID;
|
||||
}
|
||||
if (PlatformDependent.javaVersion() >= 7 && cause instanceof CertificateRevokedException) {
|
||||
return CertificateVerifier.X509_V_ERR_CERT_REVOKED;
|
||||
}
|
||||
return CertificateVerifier.X509_V_ERR_UNSPECIFIED;
|
||||
}
|
||||
}
|
||||
|
||||
abstract void verify(OpenSslEngine engine, X509Certificate[] peerCerts, String auth) throws Exception;
|
||||
}
|
||||
|
||||
private static final class DefaultOpenSslEngineMap implements OpenSslEngineMap {
|
||||
private final Map<Long, OpenSslEngine> engines = PlatformDependent.newConcurrentHashMap();
|
||||
|
||||
@Override
|
||||
public OpenSslEngine remove(long ssl) {
|
||||
return engines.remove(ssl);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void add(OpenSslEngine engine) {
|
||||
engines.put(engine.sslPointer(), engine);
|
||||
}
|
||||
|
||||
@Override
|
||||
public OpenSslEngine get(long ssl) {
|
||||
return engines.get(ssl);
|
||||
}
|
||||
}
|
||||
|
||||
static void setKeyMaterial(long ctx, X509Certificate[] keyCertChain, PrivateKey key, String keyPassword)
|
||||
throws SSLException {
|
||||
/* Load the certificate file and private key. */
|
||||
long keyBio = 0;
|
||||
long keyCertChainBio = 0;
|
||||
|
||||
try {
|
||||
keyCertChainBio = toBIO(keyCertChain);
|
||||
keyBio = toBIO(key);
|
||||
|
||||
SSLContext.setCertificateBio(
|
||||
ctx, keyCertChainBio, keyBio,
|
||||
keyPassword == null ? StringUtil.EMPTY_STRING : keyPassword, SSL.SSL_AIDX_RSA);
|
||||
// We may have more then one cert in the chain so add all of them now.
|
||||
SSLContext.setCertificateChainBio(ctx, keyCertChainBio, false);
|
||||
} catch (SSLException e) {
|
||||
throw e;
|
||||
} catch (Exception e) {
|
||||
throw new SSLException("failed to set certificate and key", e);
|
||||
} finally {
|
||||
if (keyBio != 0) {
|
||||
SSL.freeBIO(keyBio);
|
||||
}
|
||||
if (keyCertChainBio != 0) {
|
||||
SSL.freeBIO(keyCertChainBio);
|
||||
}
|
||||
}
|
||||
}
|
||||
/**
|
||||
* Return the pointer to a <a href="https://www.openssl.org/docs/crypto/BIO_get_mem_ptr.html">in-memory BIO</a>
|
||||
* or {@code 0} if the {@code key} is {@code null}. The BIO contains the content of the {@code key}.
|
||||
*/
|
||||
static long toBIO(PrivateKey key) throws Exception {
|
||||
if (key == null) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
ByteBufAllocator allocator = ByteBufAllocator.DEFAULT;
|
||||
PemEncoded pem = PemPrivateKey.toPEM(allocator, true, key);
|
||||
try {
|
||||
return toBIO(allocator, pem.retain());
|
||||
} finally {
|
||||
pem.release();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the pointer to a <a href="https://www.openssl.org/docs/crypto/BIO_get_mem_ptr.html">in-memory BIO</a>
|
||||
* or {@code 0} if the {@code certChain} is {@code null}. The BIO contains the content of the {@code certChain}.
|
||||
*/
|
||||
static long toBIO(X509Certificate... certChain) throws Exception {
|
||||
if (certChain == null) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (certChain.length == 0) {
|
||||
throw new IllegalArgumentException("certChain can't be empty");
|
||||
}
|
||||
|
||||
ByteBufAllocator allocator = ByteBufAllocator.DEFAULT;
|
||||
PemEncoded pem = PemX509Certificate.toPEM(allocator, true, certChain);
|
||||
try {
|
||||
return toBIO(allocator, pem.retain());
|
||||
} finally {
|
||||
pem.release();
|
||||
}
|
||||
}
|
||||
|
||||
private static long toBIO(ByteBufAllocator allocator, PemEncoded pem) throws Exception {
|
||||
try {
|
||||
// We can turn direct buffers straight into BIOs. No need to
|
||||
// make a yet another copy.
|
||||
ByteBuf content = pem.content();
|
||||
|
||||
if (content.isDirect()) {
|
||||
return newBIO(content.retainedSlice());
|
||||
}
|
||||
|
||||
ByteBuf buffer = allocator.directBuffer(content.readableBytes());
|
||||
try {
|
||||
buffer.writeBytes(content, content.readerIndex(), content.readableBytes());
|
||||
return newBIO(buffer.retainedSlice());
|
||||
} finally {
|
||||
try {
|
||||
// If the contents of the ByteBuf is sensitive (e.g. a PrivateKey) we
|
||||
// need to zero out the bytes of the copy before we're releasing it.
|
||||
if (pem.isSensitive()) {
|
||||
SslUtils.zeroout(buffer);
|
||||
}
|
||||
} finally {
|
||||
buffer.release();
|
||||
}
|
||||
}
|
||||
} finally {
|
||||
pem.release();
|
||||
}
|
||||
}
|
||||
|
||||
private static long newBIO(ByteBuf buffer) throws Exception {
|
||||
try {
|
||||
long bio = SSL.newMemBIO();
|
||||
int readable = buffer.readableBytes();
|
||||
if (SSL.writeToBIO(bio, OpenSsl.memoryAddress(buffer) + buffer.readerIndex(), readable) != readable) {
|
||||
SSL.freeBIO(bio);
|
||||
throw new IllegalStateException("Could not write data to memory BIO");
|
||||
}
|
||||
return bio;
|
||||
} finally {
|
||||
buffer.release();
|
||||
}
|
||||
safeRelease(this);
|
||||
}
|
||||
}
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -21,15 +21,15 @@ interface OpenSslEngineMap {
|
||||
* Remove the {@link OpenSslEngine} with the given {@code ssl} address and
|
||||
* return it.
|
||||
*/
|
||||
OpenSslEngine remove(long ssl);
|
||||
ReferenceCountedOpenSslEngine remove(long ssl);
|
||||
|
||||
/**
|
||||
* Add a {@link OpenSslEngine} to this {@link OpenSslEngineMap}.
|
||||
*/
|
||||
void add(OpenSslEngine engine);
|
||||
void add(ReferenceCountedOpenSslEngine engine);
|
||||
|
||||
/**
|
||||
* Get the {@link OpenSslEngine} for the given {@code ssl} address.
|
||||
*/
|
||||
OpenSslEngine get(long ssl);
|
||||
ReferenceCountedOpenSslEngine get(long ssl);
|
||||
}
|
||||
|
@ -28,12 +28,13 @@ final class OpenSslExtendedKeyMaterialManager extends OpenSslKeyMaterialManager
|
||||
}
|
||||
|
||||
@Override
|
||||
protected String chooseClientAlias(OpenSslEngine engine, String[] keyTypes, X500Principal[] issuer) {
|
||||
protected String chooseClientAlias(ReferenceCountedOpenSslEngine engine, String[] keyTypes,
|
||||
X500Principal[] issuer) {
|
||||
return keyManager.chooseEngineClientAlias(keyTypes, issuer, engine);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected String chooseServerAlias(OpenSslEngine engine, String type) {
|
||||
protected String chooseServerAlias(ReferenceCountedOpenSslEngine engine, String type) {
|
||||
return keyManager.chooseEngineServerAlias(type, null, engine);
|
||||
}
|
||||
}
|
||||
|
@ -65,7 +65,7 @@ class OpenSslKeyMaterialManager {
|
||||
this.password = password;
|
||||
}
|
||||
|
||||
void setKeyMaterial(OpenSslEngine engine) throws SSLException {
|
||||
void setKeyMaterial(ReferenceCountedOpenSslEngine engine) throws SSLException {
|
||||
long ssl = engine.sslPointer();
|
||||
String[] authMethods = SSL.authenticationMethods(ssl);
|
||||
Set<String> aliases = new HashSet<String>(authMethods.length);
|
||||
@ -80,7 +80,8 @@ class OpenSslKeyMaterialManager {
|
||||
}
|
||||
}
|
||||
|
||||
void setKeyMaterial(OpenSslEngine engine, String[] keyTypes, X500Principal[] issuer) throws SSLException {
|
||||
void setKeyMaterial(ReferenceCountedOpenSslEngine engine, String[] keyTypes,
|
||||
X500Principal[] issuer) throws SSLException {
|
||||
setKeyMaterial(engine.sslPointer(), chooseClientAlias(engine, keyTypes, issuer));
|
||||
}
|
||||
|
||||
@ -116,12 +117,12 @@ class OpenSslKeyMaterialManager {
|
||||
}
|
||||
}
|
||||
|
||||
protected String chooseClientAlias(@SuppressWarnings("unused") OpenSslEngine engine,
|
||||
protected String chooseClientAlias(@SuppressWarnings("unused") ReferenceCountedOpenSslEngine engine,
|
||||
String[] keyTypes, X500Principal[] issuer) {
|
||||
return keyManager.chooseClientAlias(keyTypes, issuer, null);
|
||||
}
|
||||
|
||||
protected String chooseServerAlias(@SuppressWarnings("unused") OpenSslEngine engine, String type) {
|
||||
protected String chooseServerAlias(@SuppressWarnings("unused") ReferenceCountedOpenSslEngine engine, String type) {
|
||||
return keyManager.chooseServerAlias(type, null, null);
|
||||
}
|
||||
}
|
||||
|
@ -15,30 +15,27 @@
|
||||
*/
|
||||
package io.netty.handler.ssl;
|
||||
|
||||
import io.netty.handler.ssl.ReferenceCountedOpenSslServerContext.ServerContext;
|
||||
import org.apache.tomcat.jni.SSL;
|
||||
import org.apache.tomcat.jni.SSLContext;
|
||||
|
||||
import java.io.File;
|
||||
import java.security.PrivateKey;
|
||||
import java.security.cert.X509Certificate;
|
||||
|
||||
import javax.net.ssl.KeyManager;
|
||||
import javax.net.ssl.KeyManagerFactory;
|
||||
import javax.net.ssl.SSLException;
|
||||
import javax.net.ssl.TrustManager;
|
||||
import javax.net.ssl.TrustManagerFactory;
|
||||
import javax.net.ssl.X509ExtendedKeyManager;
|
||||
import javax.net.ssl.X509ExtendedTrustManager;
|
||||
import javax.net.ssl.X509KeyManager;
|
||||
import javax.net.ssl.X509TrustManager;
|
||||
import java.io.File;
|
||||
import java.security.KeyStore;
|
||||
import java.security.PrivateKey;
|
||||
import java.security.cert.X509Certificate;
|
||||
|
||||
import static io.netty.util.internal.ObjectUtil.*;
|
||||
import static io.netty.handler.ssl.ReferenceCountedOpenSslServerContext.newSessionContext;
|
||||
|
||||
/**
|
||||
* A server-side {@link SslContext} which uses OpenSSL's SSL/TLS implementation.
|
||||
* <p>This class will use a finalizer to ensure native resources are automatically cleaned up. To avoid finalizers
|
||||
* and manually release the native memory see {@link ReferenceCountedOpenSslServerContext}.
|
||||
*/
|
||||
public final class OpenSslServerContext extends OpenSslContext {
|
||||
private static final byte[] ID = new byte[] {'n', 'e', 't', 't', 'y'};
|
||||
private final OpenSslServerSessionContext sessionContext;
|
||||
private final OpenSslKeyMaterialManager keyMaterialManager;
|
||||
|
||||
@ -349,74 +346,14 @@ public final class OpenSslServerContext extends OpenSslContext {
|
||||
// Create a new SSL_CTX and configure it.
|
||||
boolean success = false;
|
||||
try {
|
||||
synchronized (OpenSslContext.class) {
|
||||
try {
|
||||
SSLContext.setVerify(ctx, SSL.SSL_CVERIFY_NONE, VERIFY_DEPTH);
|
||||
if (!OpenSsl.useKeyManagerFactory()) {
|
||||
if (keyManagerFactory != null) {
|
||||
throw new IllegalArgumentException(
|
||||
"KeyManagerFactory not supported");
|
||||
}
|
||||
|
||||
/* Set certificate verification policy. */
|
||||
SSLContext.setVerify(ctx, SSL.SSL_CVERIFY_NONE, VERIFY_DEPTH);
|
||||
|
||||
setKeyMaterial(ctx, keyCertChain, key, keyPassword);
|
||||
keyMaterialManager = null;
|
||||
} else {
|
||||
if (keyCertChain != null) {
|
||||
keyManagerFactory = buildKeyManagerFactory(
|
||||
ServerContext context = newSessionContext(this, ctx, engineMap, trustCertCollection, trustManagerFactory,
|
||||
keyCertChain, key, keyPassword, keyManagerFactory);
|
||||
}
|
||||
|
||||
if (keyManagerFactory != null) {
|
||||
X509KeyManager keyManager = chooseX509KeyManager(keyManagerFactory.getKeyManagers());
|
||||
keyMaterialManager = useExtendedKeyManager(keyManager) ?
|
||||
new OpenSslExtendedKeyMaterialManager(
|
||||
(X509ExtendedKeyManager) keyManager, keyPassword) :
|
||||
new OpenSslKeyMaterialManager(keyManager, keyPassword);
|
||||
} else {
|
||||
keyMaterialManager = null;
|
||||
}
|
||||
}
|
||||
} catch (Exception e) {
|
||||
throw new SSLException("failed to set certificate and key", e);
|
||||
}
|
||||
try {
|
||||
if (trustCertCollection != null) {
|
||||
trustManagerFactory = buildTrustManagerFactory(trustCertCollection, trustManagerFactory);
|
||||
} else if (trustManagerFactory == null) {
|
||||
// Mimic the way SSLContext.getInstance(KeyManager[], null, null) works
|
||||
trustManagerFactory = TrustManagerFactory.getInstance(
|
||||
TrustManagerFactory.getDefaultAlgorithm());
|
||||
trustManagerFactory.init((KeyStore) null);
|
||||
}
|
||||
|
||||
final X509TrustManager manager = chooseTrustManager(trustManagerFactory.getTrustManagers());
|
||||
|
||||
// IMPORTANT: The callbacks set for verification must be static to prevent memory leak as
|
||||
// otherwise the context can never be collected. This is because the JNI code holds
|
||||
// a global reference to the callbacks.
|
||||
//
|
||||
// See https://github.com/netty/netty/issues/5372
|
||||
|
||||
// Use this to prevent an error when running on java < 7
|
||||
if (useExtendedTrustManager(manager)) {
|
||||
SSLContext.setCertVerifyCallback(ctx,
|
||||
new ExtendedTrustManagerVerifyCallback(engineMap, (X509ExtendedTrustManager) manager));
|
||||
} else {
|
||||
SSLContext.setCertVerifyCallback(ctx, new TrustManagerVerifyCallback(engineMap, manager));
|
||||
}
|
||||
} catch (Exception e) {
|
||||
throw new SSLException("unable to setup trustmanager", e);
|
||||
}
|
||||
}
|
||||
sessionContext = new OpenSslServerSessionContext(this);
|
||||
sessionContext.setSessionIdContext(ID);
|
||||
sessionContext = context.sessionContext;
|
||||
keyMaterialManager = context.keyMaterialManager;
|
||||
success = true;
|
||||
} finally {
|
||||
if (!success) {
|
||||
destroy();
|
||||
release();
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -430,34 +367,4 @@ public final class OpenSslServerContext extends OpenSslContext {
|
||||
OpenSslKeyMaterialManager keyMaterialManager() {
|
||||
return keyMaterialManager;
|
||||
}
|
||||
|
||||
private static final class TrustManagerVerifyCallback extends AbstractCertificateVerifier {
|
||||
private final X509TrustManager manager;
|
||||
|
||||
TrustManagerVerifyCallback(OpenSslEngineMap engineMap, X509TrustManager manager) {
|
||||
super(engineMap);
|
||||
this.manager = manager;
|
||||
}
|
||||
|
||||
@Override
|
||||
void verify(OpenSslEngine engine, X509Certificate[] peerCerts, String auth)
|
||||
throws Exception {
|
||||
manager.checkClientTrusted(peerCerts, auth);
|
||||
}
|
||||
}
|
||||
|
||||
private static final class ExtendedTrustManagerVerifyCallback extends AbstractCertificateVerifier {
|
||||
private final X509ExtendedTrustManager manager;
|
||||
|
||||
ExtendedTrustManagerVerifyCallback(OpenSslEngineMap engineMap, X509ExtendedTrustManager manager) {
|
||||
super(engineMap);
|
||||
this.manager = manager;
|
||||
}
|
||||
|
||||
@Override
|
||||
void verify(OpenSslEngine engine, X509Certificate[] peerCerts, String auth)
|
||||
throws Exception {
|
||||
manager.checkClientTrusted(peerCerts, auth, engine);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -23,7 +23,7 @@ import org.apache.tomcat.jni.SSLContext;
|
||||
* {@link OpenSslSessionContext} implementation which offers extra methods which are only useful for the server-side.
|
||||
*/
|
||||
public final class OpenSslServerSessionContext extends OpenSslSessionContext {
|
||||
OpenSslServerSessionContext(OpenSslContext context) {
|
||||
OpenSslServerSessionContext(ReferenceCountedOpenSslContext context) {
|
||||
super(context);
|
||||
}
|
||||
|
||||
|
@ -32,13 +32,13 @@ public abstract class OpenSslSessionContext implements SSLSessionContext {
|
||||
private static final Enumeration<byte[]> EMPTY = new EmptyEnumeration();
|
||||
|
||||
private final OpenSslSessionStats stats;
|
||||
final OpenSslContext context;
|
||||
final ReferenceCountedOpenSslContext context;
|
||||
|
||||
// IMPORTANT: We take the OpenSslContext and not just the long (which points the native instance) to prevent
|
||||
// the GC to collect OpenSslContext as this would also free the pointer and so could result in a
|
||||
// segfault when the user calls any of the methods here that try to pass the pointer down to the native
|
||||
// level.
|
||||
OpenSslSessionContext(OpenSslContext context) {
|
||||
OpenSslSessionContext(ReferenceCountedOpenSslContext context) {
|
||||
this.context = context;
|
||||
stats = new OpenSslSessionStats(context);
|
||||
}
|
||||
|
@ -25,13 +25,13 @@ import org.apache.tomcat.jni.SSLContext;
|
||||
*/
|
||||
public final class OpenSslSessionStats {
|
||||
|
||||
private final OpenSslContext context;
|
||||
private final ReferenceCountedOpenSslContext context;
|
||||
|
||||
// IMPORTANT: We take the OpenSslContext and not just the long (which points the native instance) to prevent
|
||||
// the GC to collect OpenSslContext as this would also free the pointer and so could result in a
|
||||
// segfault when the user calls any of the methods here that try to pass the pointer down to the native
|
||||
// level.
|
||||
OpenSslSessionStats(OpenSslContext context) {
|
||||
OpenSslSessionStats(ReferenceCountedOpenSslContext context) {
|
||||
this.context = context;
|
||||
}
|
||||
|
||||
|
@ -0,0 +1,295 @@
|
||||
/*
|
||||
* Copyright 2016 The Netty Project
|
||||
*
|
||||
* The Netty Project licenses this file to you under the Apache License,
|
||||
* version 2.0 (the "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at:
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
* License for the specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
package io.netty.handler.ssl;
|
||||
|
||||
import io.netty.util.internal.logging.InternalLogger;
|
||||
import io.netty.util.internal.logging.InternalLoggerFactory;
|
||||
import org.apache.tomcat.jni.CertificateRequestedCallback;
|
||||
import org.apache.tomcat.jni.SSL;
|
||||
import org.apache.tomcat.jni.SSLContext;
|
||||
|
||||
import java.security.KeyStore;
|
||||
import java.security.PrivateKey;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import javax.net.ssl.KeyManagerFactory;
|
||||
import javax.net.ssl.SSLException;
|
||||
import javax.net.ssl.SSLHandshakeException;
|
||||
import javax.net.ssl.TrustManagerFactory;
|
||||
import javax.net.ssl.X509ExtendedKeyManager;
|
||||
import javax.net.ssl.X509ExtendedTrustManager;
|
||||
import javax.net.ssl.X509KeyManager;
|
||||
import javax.net.ssl.X509TrustManager;
|
||||
import javax.security.auth.x500.X500Principal;
|
||||
|
||||
/**
|
||||
* A client-side {@link SslContext} which uses OpenSSL's SSL/TLS implementation.
|
||||
* <p>Instances of this class must be {@link #release() released} or else native memory will leak!
|
||||
*/
|
||||
public final class ReferenceCountedOpenSslClientContext extends ReferenceCountedOpenSslContext {
|
||||
private static final InternalLogger logger =
|
||||
InternalLoggerFactory.getInstance(ReferenceCountedOpenSslClientContext.class);
|
||||
private final OpenSslSessionContext sessionContext;
|
||||
|
||||
ReferenceCountedOpenSslClientContext(X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
|
||||
X509Certificate[] keyCertChain, PrivateKey key, String keyPassword,
|
||||
KeyManagerFactory keyManagerFactory, Iterable<String> ciphers,
|
||||
CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
|
||||
long sessionCacheSize, long sessionTimeout)
|
||||
throws SSLException {
|
||||
super(ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout, SSL.SSL_MODE_CLIENT, keyCertChain,
|
||||
ClientAuth.NONE, true);
|
||||
boolean success = false;
|
||||
try {
|
||||
sessionContext = newSessionContext(this, ctx, engineMap, trustCertCollection, trustManagerFactory,
|
||||
keyCertChain, key, keyPassword, keyManagerFactory);
|
||||
success = true;
|
||||
} finally {
|
||||
if (!success) {
|
||||
release();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
OpenSslKeyMaterialManager keyMaterialManager() {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public OpenSslSessionContext sessionContext() {
|
||||
return sessionContext;
|
||||
}
|
||||
|
||||
static OpenSslSessionContext newSessionContext(ReferenceCountedOpenSslContext thiz, long ctx,
|
||||
OpenSslEngineMap engineMap,
|
||||
X509Certificate[] trustCertCollection,
|
||||
TrustManagerFactory trustManagerFactory,
|
||||
X509Certificate[] keyCertChain, PrivateKey key, String keyPassword,
|
||||
KeyManagerFactory keyManagerFactory) throws SSLException {
|
||||
if (key == null && keyCertChain != null || key != null && keyCertChain == null) {
|
||||
throw new IllegalArgumentException(
|
||||
"Either both keyCertChain and key needs to be null or none of them");
|
||||
}
|
||||
synchronized (ReferenceCountedOpenSslContext.class) {
|
||||
try {
|
||||
if (!OpenSsl.useKeyManagerFactory()) {
|
||||
if (keyManagerFactory != null) {
|
||||
throw new IllegalArgumentException(
|
||||
"KeyManagerFactory not supported");
|
||||
}
|
||||
if (keyCertChain != null/* && key != null*/) {
|
||||
setKeyMaterial(ctx, keyCertChain, key, keyPassword);
|
||||
}
|
||||
} else {
|
||||
// javadocs state that keyManagerFactory has precedent over keyCertChain
|
||||
if (keyManagerFactory == null && keyCertChain != null) {
|
||||
keyManagerFactory = buildKeyManagerFactory(
|
||||
keyCertChain, key, keyPassword, keyManagerFactory);
|
||||
}
|
||||
|
||||
if (keyManagerFactory != null) {
|
||||
X509KeyManager keyManager = chooseX509KeyManager(keyManagerFactory.getKeyManagers());
|
||||
OpenSslKeyMaterialManager materialManager = useExtendedKeyManager(keyManager) ?
|
||||
new OpenSslExtendedKeyMaterialManager(
|
||||
(X509ExtendedKeyManager) keyManager, keyPassword) :
|
||||
new OpenSslKeyMaterialManager(keyManager, keyPassword);
|
||||
SSLContext.setCertRequestedCallback(ctx, new OpenSslCertificateRequestedCallback(
|
||||
engineMap, materialManager));
|
||||
}
|
||||
}
|
||||
} catch (Exception e) {
|
||||
throw new SSLException("failed to set certificate and key", e);
|
||||
}
|
||||
|
||||
SSLContext.setVerify(ctx, SSL.SSL_VERIFY_NONE, VERIFY_DEPTH);
|
||||
|
||||
try {
|
||||
if (trustCertCollection != null) {
|
||||
trustManagerFactory = buildTrustManagerFactory(trustCertCollection, trustManagerFactory);
|
||||
} else if (trustManagerFactory == null) {
|
||||
trustManagerFactory = TrustManagerFactory.getInstance(
|
||||
TrustManagerFactory.getDefaultAlgorithm());
|
||||
trustManagerFactory.init((KeyStore) null);
|
||||
}
|
||||
final X509TrustManager manager = chooseTrustManager(trustManagerFactory.getTrustManagers());
|
||||
|
||||
// IMPORTANT: The callbacks set for verification must be static to prevent memory leak as
|
||||
// otherwise the context can never be collected. This is because the JNI code holds
|
||||
// a global reference to the callbacks.
|
||||
//
|
||||
// See https://github.com/netty/netty/issues/5372
|
||||
|
||||
// Use this to prevent an error when running on java < 7
|
||||
if (useExtendedTrustManager(manager)) {
|
||||
SSLContext.setCertVerifyCallback(ctx,
|
||||
new ExtendedTrustManagerVerifyCallback(engineMap, (X509ExtendedTrustManager) manager));
|
||||
} else {
|
||||
SSLContext.setCertVerifyCallback(ctx, new TrustManagerVerifyCallback(engineMap, manager));
|
||||
}
|
||||
} catch (Exception e) {
|
||||
throw new SSLException("unable to setup trustmanager", e);
|
||||
}
|
||||
}
|
||||
return new OpenSslClientSessionContext(thiz);
|
||||
}
|
||||
|
||||
// No cache is currently supported for client side mode.
|
||||
static final class OpenSslClientSessionContext extends OpenSslSessionContext {
|
||||
OpenSslClientSessionContext(ReferenceCountedOpenSslContext context) {
|
||||
super(context);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void setSessionTimeout(int seconds) {
|
||||
if (seconds < 0) {
|
||||
throw new IllegalArgumentException();
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public int getSessionTimeout() {
|
||||
return 0;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void setSessionCacheSize(int size) {
|
||||
if (size < 0) {
|
||||
throw new IllegalArgumentException();
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public int getSessionCacheSize() {
|
||||
return 0;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void setSessionCacheEnabled(boolean enabled) {
|
||||
// ignored
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isSessionCacheEnabled() {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
private static final class TrustManagerVerifyCallback extends AbstractCertificateVerifier {
|
||||
private final X509TrustManager manager;
|
||||
|
||||
TrustManagerVerifyCallback(OpenSslEngineMap engineMap, X509TrustManager manager) {
|
||||
super(engineMap);
|
||||
this.manager = manager;
|
||||
}
|
||||
|
||||
@Override
|
||||
void verify(ReferenceCountedOpenSslEngine engine, X509Certificate[] peerCerts, String auth)
|
||||
throws Exception {
|
||||
manager.checkServerTrusted(peerCerts, auth);
|
||||
}
|
||||
}
|
||||
|
||||
private static final class ExtendedTrustManagerVerifyCallback extends AbstractCertificateVerifier {
|
||||
private final X509ExtendedTrustManager manager;
|
||||
|
||||
ExtendedTrustManagerVerifyCallback(OpenSslEngineMap engineMap, X509ExtendedTrustManager manager) {
|
||||
super(engineMap);
|
||||
this.manager = manager;
|
||||
}
|
||||
|
||||
@Override
|
||||
void verify(ReferenceCountedOpenSslEngine engine, X509Certificate[] peerCerts, String auth)
|
||||
throws Exception {
|
||||
manager.checkServerTrusted(peerCerts, auth, engine);
|
||||
}
|
||||
}
|
||||
|
||||
private static final class OpenSslCertificateRequestedCallback implements CertificateRequestedCallback {
|
||||
private final OpenSslEngineMap engineMap;
|
||||
private final OpenSslKeyMaterialManager keyManagerHolder;
|
||||
|
||||
OpenSslCertificateRequestedCallback(OpenSslEngineMap engineMap, OpenSslKeyMaterialManager keyManagerHolder) {
|
||||
this.engineMap = engineMap;
|
||||
this.keyManagerHolder = keyManagerHolder;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void requested(long ssl, byte[] keyTypeBytes, byte[][] asn1DerEncodedPrincipals) {
|
||||
final ReferenceCountedOpenSslEngine engine = engineMap.get(ssl);
|
||||
try {
|
||||
final Set<String> keyTypesSet = supportedClientKeyTypes(keyTypeBytes);
|
||||
final String[] keyTypes = keyTypesSet.toArray(new String[keyTypesSet.size()]);
|
||||
final X500Principal[] issuers;
|
||||
if (asn1DerEncodedPrincipals == null) {
|
||||
issuers = null;
|
||||
} else {
|
||||
issuers = new X500Principal[asn1DerEncodedPrincipals.length];
|
||||
for (int i = 0; i < asn1DerEncodedPrincipals.length; i++) {
|
||||
issuers[i] = new X500Principal(asn1DerEncodedPrincipals[i]);
|
||||
}
|
||||
}
|
||||
keyManagerHolder.setKeyMaterial(engine, keyTypes, issuers);
|
||||
} catch (Throwable cause) {
|
||||
logger.debug("request of key failed", cause);
|
||||
SSLHandshakeException e = new SSLHandshakeException("General OpenSslEngine problem");
|
||||
e.initCause(cause);
|
||||
engine.handshakeException = e;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the supported key types for client certificates.
|
||||
*
|
||||
* @param clientCertificateTypes {@code ClientCertificateType} values provided by the server.
|
||||
* See https://www.ietf.org/assignments/tls-parameters/tls-parameters.xml.
|
||||
* @return supported key types that can be used in {@code X509KeyManager.chooseClientAlias} and
|
||||
* {@code X509ExtendedKeyManager.chooseEngineClientAlias}.
|
||||
*/
|
||||
private static Set<String> supportedClientKeyTypes(byte[] clientCertificateTypes) {
|
||||
Set<String> result = new HashSet<String>(clientCertificateTypes.length);
|
||||
for (byte keyTypeCode : clientCertificateTypes) {
|
||||
String keyType = clientKeyType(keyTypeCode);
|
||||
if (keyType == null) {
|
||||
// Unsupported client key type -- ignore
|
||||
continue;
|
||||
}
|
||||
result.add(keyType);
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
private static String clientKeyType(byte clientCertificateType) {
|
||||
// See also http://www.ietf.org/assignments/tls-parameters/tls-parameters.xml
|
||||
switch (clientCertificateType) {
|
||||
case CertificateRequestedCallback.TLS_CT_RSA_SIGN:
|
||||
return OpenSslKeyMaterialManager.KEY_TYPE_RSA; // RFC rsa_sign
|
||||
case CertificateRequestedCallback.TLS_CT_RSA_FIXED_DH:
|
||||
return OpenSslKeyMaterialManager.KEY_TYPE_DH_RSA; // RFC rsa_fixed_dh
|
||||
case CertificateRequestedCallback.TLS_CT_ECDSA_SIGN:
|
||||
return OpenSslKeyMaterialManager.KEY_TYPE_EC; // RFC ecdsa_sign
|
||||
case CertificateRequestedCallback.TLS_CT_RSA_FIXED_ECDH:
|
||||
return OpenSslKeyMaterialManager.KEY_TYPE_EC_RSA; // RFC rsa_fixed_ecdh
|
||||
case CertificateRequestedCallback.TLS_CT_ECDSA_FIXED_ECDH:
|
||||
return OpenSslKeyMaterialManager.KEY_TYPE_EC_EC; // RFC ecdsa_fixed_ecdh
|
||||
default:
|
||||
return null;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,746 @@
|
||||
/*
|
||||
* Copyright 2016 The Netty Project
|
||||
*
|
||||
* The Netty Project licenses this file to you under the Apache License,
|
||||
* version 2.0 (the "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at:
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
* License for the specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
package io.netty.handler.ssl;
|
||||
|
||||
import io.netty.buffer.ByteBuf;
|
||||
import io.netty.buffer.ByteBufAllocator;
|
||||
import io.netty.util.AbstractReferenceCounted;
|
||||
import io.netty.util.ReferenceCounted;
|
||||
import io.netty.util.ResourceLeak;
|
||||
import io.netty.util.ResourceLeakDetector;
|
||||
import io.netty.util.ResourceLeakDetectorFactory;
|
||||
import io.netty.util.internal.PlatformDependent;
|
||||
import io.netty.util.internal.StringUtil;
|
||||
import io.netty.util.internal.SystemPropertyUtil;
|
||||
import io.netty.util.internal.logging.InternalLogger;
|
||||
import io.netty.util.internal.logging.InternalLoggerFactory;
|
||||
import org.apache.tomcat.jni.CertificateVerifier;
|
||||
import org.apache.tomcat.jni.Pool;
|
||||
import org.apache.tomcat.jni.SSL;
|
||||
import org.apache.tomcat.jni.SSLContext;
|
||||
|
||||
import java.security.AccessController;
|
||||
import java.security.PrivateKey;
|
||||
import java.security.PrivilegedAction;
|
||||
import java.security.cert.Certificate;
|
||||
import java.security.cert.CertificateExpiredException;
|
||||
import java.security.cert.CertificateNotYetValidException;
|
||||
import java.security.cert.CertificateRevokedException;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import javax.net.ssl.KeyManager;
|
||||
import javax.net.ssl.SSLEngine;
|
||||
import javax.net.ssl.SSLException;
|
||||
import javax.net.ssl.SSLHandshakeException;
|
||||
import javax.net.ssl.TrustManager;
|
||||
import javax.net.ssl.X509ExtendedKeyManager;
|
||||
import javax.net.ssl.X509ExtendedTrustManager;
|
||||
import javax.net.ssl.X509KeyManager;
|
||||
import javax.net.ssl.X509TrustManager;
|
||||
|
||||
import static io.netty.util.internal.ObjectUtil.checkNotNull;
|
||||
|
||||
/**
|
||||
* An implementation of {@link SslContext} which works with libraries that support the
|
||||
* <a href="https://www.openssl.org/">OpenSsl</a> C library API.
|
||||
* <p>Instances of this class must be {@link #release() released} or else native memory will leak!
|
||||
*/
|
||||
public abstract class ReferenceCountedOpenSslContext extends SslContext implements ReferenceCounted {
|
||||
private static final InternalLogger logger =
|
||||
InternalLoggerFactory.getInstance(ReferenceCountedOpenSslContext.class);
|
||||
/**
|
||||
* To make it easier for users to replace JDK implemention with OpenSsl version we also use
|
||||
* {@code jdk.tls.rejectClientInitiatedRenegotiation} to allow disabling client initiated renegotiation.
|
||||
* Java8+ uses this system property as well.
|
||||
* <p>
|
||||
* See also <a href="http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html">
|
||||
* Significant SSL/TLS improvements in Java 8</a>
|
||||
*/
|
||||
private static final boolean JDK_REJECT_CLIENT_INITIATED_RENEGOTIATION =
|
||||
SystemPropertyUtil.getBoolean("jdk.tls.rejectClientInitiatedRenegotiation", false);
|
||||
private static final List<String> DEFAULT_CIPHERS;
|
||||
private static final Integer DH_KEY_LENGTH;
|
||||
private static final ResourceLeakDetector<ReferenceCountedOpenSslContext> leakDetector =
|
||||
ResourceLeakDetectorFactory.instance().newResourceLeakDetector(ReferenceCountedOpenSslContext.class);
|
||||
|
||||
// TODO: Maybe make configurable ?
|
||||
protected static final int VERIFY_DEPTH = 10;
|
||||
|
||||
/**
|
||||
* The OpenSSL SSL_CTX object
|
||||
*/
|
||||
protected volatile long ctx;
|
||||
long aprPool;
|
||||
@SuppressWarnings({ "unused", "FieldMayBeFinal" })
|
||||
private volatile int aprPoolDestroyed;
|
||||
private final List<String> unmodifiableCiphers;
|
||||
private final long sessionCacheSize;
|
||||
private final long sessionTimeout;
|
||||
private final OpenSslApplicationProtocolNegotiator apn;
|
||||
private final int mode;
|
||||
|
||||
// Reference Counting
|
||||
private final ResourceLeak leak;
|
||||
private final AbstractReferenceCounted refCnt = new AbstractReferenceCounted() {
|
||||
@Override
|
||||
public ReferenceCounted touch(Object hint) {
|
||||
if (leak != null) {
|
||||
leak.record(hint);
|
||||
}
|
||||
|
||||
return ReferenceCountedOpenSslContext.this;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void deallocate() {
|
||||
destroy();
|
||||
if (leak != null) {
|
||||
leak.close();
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
final Certificate[] keyCertChain;
|
||||
final ClientAuth clientAuth;
|
||||
final OpenSslEngineMap engineMap = new DefaultOpenSslEngineMap();
|
||||
volatile boolean rejectRemoteInitiatedRenegotiation;
|
||||
|
||||
static final OpenSslApplicationProtocolNegotiator NONE_PROTOCOL_NEGOTIATOR =
|
||||
new OpenSslApplicationProtocolNegotiator() {
|
||||
@Override
|
||||
public ApplicationProtocolConfig.Protocol protocol() {
|
||||
return ApplicationProtocolConfig.Protocol.NONE;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<String> protocols() {
|
||||
return Collections.emptyList();
|
||||
}
|
||||
|
||||
@Override
|
||||
public ApplicationProtocolConfig.SelectorFailureBehavior selectorFailureBehavior() {
|
||||
return ApplicationProtocolConfig.SelectorFailureBehavior.CHOOSE_MY_LAST_PROTOCOL;
|
||||
}
|
||||
|
||||
@Override
|
||||
public ApplicationProtocolConfig.SelectedListenerFailureBehavior selectedListenerFailureBehavior() {
|
||||
return ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT;
|
||||
}
|
||||
};
|
||||
|
||||
static {
|
||||
List<String> ciphers = new ArrayList<String>();
|
||||
// XXX: Make sure to sync this list with JdkSslEngineFactory.
|
||||
Collections.addAll(
|
||||
ciphers,
|
||||
"ECDHE-RSA-AES128-GCM-SHA256",
|
||||
"ECDHE-RSA-AES128-SHA",
|
||||
"ECDHE-RSA-AES256-SHA",
|
||||
"AES128-GCM-SHA256",
|
||||
"AES128-SHA",
|
||||
"AES256-SHA",
|
||||
"DES-CBC3-SHA");
|
||||
DEFAULT_CIPHERS = Collections.unmodifiableList(ciphers);
|
||||
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("Default cipher suite (OpenSSL): " + ciphers);
|
||||
}
|
||||
|
||||
Integer dhLen = null;
|
||||
|
||||
try {
|
||||
String dhKeySize = AccessController.doPrivileged(new PrivilegedAction<String>() {
|
||||
@Override
|
||||
public String run() {
|
||||
return SystemPropertyUtil.get("jdk.tls.ephemeralDHKeySize");
|
||||
}
|
||||
});
|
||||
if (dhKeySize != null) {
|
||||
try {
|
||||
dhLen = Integer.valueOf(dhKeySize);
|
||||
} catch (NumberFormatException e) {
|
||||
logger.debug("ReferenceCountedOpenSslContext supports -Djdk.tls.ephemeralDHKeySize={int}, but got: "
|
||||
+ dhKeySize);
|
||||
}
|
||||
}
|
||||
} catch (Throwable ignore) {
|
||||
// ignore
|
||||
}
|
||||
DH_KEY_LENGTH = dhLen;
|
||||
}
|
||||
|
||||
ReferenceCountedOpenSslContext(Iterable<String> ciphers, CipherSuiteFilter cipherFilter,
|
||||
ApplicationProtocolConfig apnCfg, long sessionCacheSize, long sessionTimeout,
|
||||
int mode, Certificate[] keyCertChain, ClientAuth clientAuth, boolean leakDetection)
|
||||
throws SSLException {
|
||||
this(ciphers, cipherFilter, toNegotiator(apnCfg), sessionCacheSize, sessionTimeout, mode, keyCertChain,
|
||||
clientAuth, leakDetection);
|
||||
}
|
||||
|
||||
ReferenceCountedOpenSslContext(Iterable<String> ciphers, CipherSuiteFilter cipherFilter,
|
||||
OpenSslApplicationProtocolNegotiator apn, long sessionCacheSize,
|
||||
long sessionTimeout, int mode, Certificate[] keyCertChain,
|
||||
ClientAuth clientAuth, boolean leakDetection) throws SSLException {
|
||||
OpenSsl.ensureAvailability();
|
||||
|
||||
if (mode != SSL.SSL_MODE_SERVER && mode != SSL.SSL_MODE_CLIENT) {
|
||||
throw new IllegalArgumentException("mode most be either SSL.SSL_MODE_SERVER or SSL.SSL_MODE_CLIENT");
|
||||
}
|
||||
leak = leakDetection ? leakDetector.open(this) : null;
|
||||
this.mode = mode;
|
||||
this.clientAuth = isServer() ? checkNotNull(clientAuth, "clientAuth") : ClientAuth.NONE;
|
||||
|
||||
if (mode == SSL.SSL_MODE_SERVER) {
|
||||
rejectRemoteInitiatedRenegotiation =
|
||||
JDK_REJECT_CLIENT_INITIATED_RENEGOTIATION;
|
||||
}
|
||||
this.keyCertChain = keyCertChain == null ? null : keyCertChain.clone();
|
||||
final List<String> convertedCiphers;
|
||||
if (ciphers == null) {
|
||||
convertedCiphers = null;
|
||||
} else {
|
||||
convertedCiphers = new ArrayList<String>();
|
||||
for (String c : ciphers) {
|
||||
if (c == null) {
|
||||
break;
|
||||
}
|
||||
|
||||
String converted = CipherSuiteConverter.toOpenSsl(c);
|
||||
if (converted != null) {
|
||||
c = converted;
|
||||
}
|
||||
convertedCiphers.add(c);
|
||||
}
|
||||
}
|
||||
|
||||
unmodifiableCiphers = Arrays.asList(checkNotNull(cipherFilter, "cipherFilter").filterCipherSuites(
|
||||
convertedCiphers, DEFAULT_CIPHERS, OpenSsl.availableCipherSuites()));
|
||||
|
||||
this.apn = checkNotNull(apn, "apn");
|
||||
|
||||
// Allocate a new APR pool.
|
||||
aprPool = Pool.create(0);
|
||||
|
||||
// Create a new SSL_CTX and configure it.
|
||||
boolean success = false;
|
||||
try {
|
||||
synchronized (ReferenceCountedOpenSslContext.class) {
|
||||
try {
|
||||
ctx = SSLContext.make(aprPool, SSL.SSL_PROTOCOL_ALL, mode);
|
||||
} catch (Exception e) {
|
||||
throw new SSLException("failed to create an SSL_CTX", e);
|
||||
}
|
||||
|
||||
SSLContext.setOptions(ctx, SSL.SSL_OP_ALL);
|
||||
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SSLv2);
|
||||
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SSLv3);
|
||||
SSLContext.setOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
|
||||
SSLContext.setOptions(ctx, SSL.SSL_OP_SINGLE_ECDH_USE);
|
||||
SSLContext.setOptions(ctx, SSL.SSL_OP_SINGLE_DH_USE);
|
||||
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
|
||||
// Disable ticket support by default to be more inline with SSLEngineImpl of the JDK.
|
||||
// This also let SSLSession.getId() work the same way for the JDK implementation and the OpenSSLEngine.
|
||||
// If tickets are supported SSLSession.getId() will only return an ID on the server-side if it could
|
||||
// make use of tickets.
|
||||
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_TICKET);
|
||||
|
||||
// We need to enable SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER as the memory address may change between
|
||||
// calling OpenSSLEngine.wrap(...).
|
||||
// See https://github.com/netty/netty-tcnative/issues/100
|
||||
SSLContext.setMode(ctx, SSLContext.getMode(ctx) | SSL.SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
|
||||
|
||||
if (DH_KEY_LENGTH != null) {
|
||||
SSLContext.setTmpDHLength(ctx, DH_KEY_LENGTH);
|
||||
}
|
||||
|
||||
/* List the ciphers that are permitted to negotiate. */
|
||||
try {
|
||||
SSLContext.setCipherSuite(ctx, CipherSuiteConverter.toOpenSsl(unmodifiableCiphers));
|
||||
} catch (SSLException e) {
|
||||
throw e;
|
||||
} catch (Exception e) {
|
||||
throw new SSLException("failed to set cipher suite: " + unmodifiableCiphers, e);
|
||||
}
|
||||
|
||||
List<String> nextProtoList = apn.protocols();
|
||||
/* Set next protocols for next protocol negotiation extension, if specified */
|
||||
if (!nextProtoList.isEmpty()) {
|
||||
String[] protocols = nextProtoList.toArray(new String[nextProtoList.size()]);
|
||||
int selectorBehavior = opensslSelectorFailureBehavior(apn.selectorFailureBehavior());
|
||||
|
||||
switch (apn.protocol()) {
|
||||
case NPN:
|
||||
SSLContext.setNpnProtos(ctx, protocols, selectorBehavior);
|
||||
break;
|
||||
case ALPN:
|
||||
SSLContext.setAlpnProtos(ctx, protocols, selectorBehavior);
|
||||
break;
|
||||
case NPN_AND_ALPN:
|
||||
SSLContext.setNpnProtos(ctx, protocols, selectorBehavior);
|
||||
SSLContext.setAlpnProtos(ctx, protocols, selectorBehavior);
|
||||
break;
|
||||
default:
|
||||
throw new Error();
|
||||
}
|
||||
}
|
||||
|
||||
/* Set session cache size, if specified */
|
||||
if (sessionCacheSize > 0) {
|
||||
this.sessionCacheSize = sessionCacheSize;
|
||||
SSLContext.setSessionCacheSize(ctx, sessionCacheSize);
|
||||
} else {
|
||||
// Get the default session cache size using SSLContext.setSessionCacheSize()
|
||||
this.sessionCacheSize = sessionCacheSize = SSLContext.setSessionCacheSize(ctx, 20480);
|
||||
// Revert the session cache size to the default value.
|
||||
SSLContext.setSessionCacheSize(ctx, sessionCacheSize);
|
||||
}
|
||||
|
||||
/* Set session timeout, if specified */
|
||||
if (sessionTimeout > 0) {
|
||||
this.sessionTimeout = sessionTimeout;
|
||||
SSLContext.setSessionCacheTimeout(ctx, sessionTimeout);
|
||||
} else {
|
||||
// Get the default session timeout using SSLContext.setSessionCacheTimeout()
|
||||
this.sessionTimeout = sessionTimeout = SSLContext.setSessionCacheTimeout(ctx, 300);
|
||||
// Revert the session timeout to the default value.
|
||||
SSLContext.setSessionCacheTimeout(ctx, sessionTimeout);
|
||||
}
|
||||
}
|
||||
success = true;
|
||||
} finally {
|
||||
if (!success) {
|
||||
release();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private static int opensslSelectorFailureBehavior(ApplicationProtocolConfig.SelectorFailureBehavior behavior) {
|
||||
switch (behavior) {
|
||||
case NO_ADVERTISE:
|
||||
return SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE;
|
||||
case CHOOSE_MY_LAST_PROTOCOL:
|
||||
return SSL.SSL_SELECTOR_FAILURE_CHOOSE_MY_LAST_PROTOCOL;
|
||||
default:
|
||||
throw new Error();
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public final List<String> cipherSuites() {
|
||||
return unmodifiableCiphers;
|
||||
}
|
||||
|
||||
@Override
|
||||
public final long sessionCacheSize() {
|
||||
return sessionCacheSize;
|
||||
}
|
||||
|
||||
@Override
|
||||
public final long sessionTimeout() {
|
||||
return sessionTimeout;
|
||||
}
|
||||
|
||||
@Override
|
||||
public ApplicationProtocolNegotiator applicationProtocolNegotiator() {
|
||||
return apn;
|
||||
}
|
||||
|
||||
@Override
|
||||
public final boolean isClient() {
|
||||
return mode == SSL.SSL_MODE_CLIENT;
|
||||
}
|
||||
|
||||
@Override
|
||||
public final SSLEngine newEngine(ByteBufAllocator alloc, String peerHost, int peerPort) {
|
||||
return newEngine0(alloc, peerHost, peerPort);
|
||||
}
|
||||
|
||||
SSLEngine newEngine0(ByteBufAllocator alloc, String peerHost, int peerPort) {
|
||||
return new ReferenceCountedOpenSslEngine(this, alloc, peerHost, peerPort, true);
|
||||
}
|
||||
|
||||
abstract OpenSslKeyMaterialManager keyMaterialManager();
|
||||
|
||||
/**
|
||||
* Returns a new server-side {@link SSLEngine} with the current configuration.
|
||||
*/
|
||||
@Override
|
||||
public final SSLEngine newEngine(ByteBufAllocator alloc) {
|
||||
return newEngine(alloc, null, -1);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the pointer to the {@code SSL_CTX} object for this {@link ReferenceCountedOpenSslContext}.
|
||||
* Be aware that it is freed as soon as the {@link #finalize()} method is called.
|
||||
* At this point {@code 0} will be returned.
|
||||
*
|
||||
* @deprecated use {@link #sslCtxPointer()}
|
||||
*/
|
||||
@Deprecated
|
||||
public final long context() {
|
||||
return ctx;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the stats of this context.
|
||||
*
|
||||
* @deprecated use {@link #sessionContext#stats()}
|
||||
*/
|
||||
@Deprecated
|
||||
public final OpenSslSessionStats stats() {
|
||||
return sessionContext().stats();
|
||||
}
|
||||
|
||||
/**
|
||||
* Specify if remote initiated renegotiation is supported or not. If not supported and the remote side tries
|
||||
* to initiate a renegotiation a {@link SSLHandshakeException} will be thrown during decoding.
|
||||
*/
|
||||
public void setRejectRemoteInitiatedRenegotiation(boolean rejectRemoteInitiatedRenegotiation) {
|
||||
this.rejectRemoteInitiatedRenegotiation = rejectRemoteInitiatedRenegotiation;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the SSL session ticket keys of this context.
|
||||
*
|
||||
* @deprecated use {@link OpenSslSessionContext#setTicketKeys(byte[])}
|
||||
*/
|
||||
@Deprecated
|
||||
public final void setTicketKeys(byte[] keys) {
|
||||
sessionContext().setTicketKeys(keys);
|
||||
}
|
||||
|
||||
@Override
|
||||
public abstract OpenSslSessionContext sessionContext();
|
||||
|
||||
/**
|
||||
* Returns the pointer to the {@code SSL_CTX} object for this {@link ReferenceCountedOpenSslContext}.
|
||||
* Be aware that it is freed as soon as the {@link #release()} method is called.
|
||||
* At this point {@code 0} will be returned.
|
||||
*/
|
||||
public final long sslCtxPointer() {
|
||||
return ctx;
|
||||
}
|
||||
|
||||
// IMPORTANT: This method must only be called from either the constructor or the finalizer as a user MUST never
|
||||
// get access to an OpenSslSessionContext after this method was called to prevent the user from
|
||||
// producing a segfault.
|
||||
final void destroy() {
|
||||
synchronized (ReferenceCountedOpenSslContext.class) {
|
||||
if (ctx != 0) {
|
||||
SSLContext.free(ctx);
|
||||
ctx = 0;
|
||||
}
|
||||
|
||||
// Guard against multiple destroyPools() calls triggered by construction exception and finalize() later
|
||||
if (aprPool != 0) {
|
||||
Pool.destroy(aprPool);
|
||||
aprPool = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
protected static X509Certificate[] certificates(byte[][] chain) {
|
||||
X509Certificate[] peerCerts = new X509Certificate[chain.length];
|
||||
for (int i = 0; i < peerCerts.length; i++) {
|
||||
peerCerts[i] = new OpenSslX509Certificate(chain[i]);
|
||||
}
|
||||
return peerCerts;
|
||||
}
|
||||
|
||||
protected static X509TrustManager chooseTrustManager(TrustManager[] managers) {
|
||||
for (TrustManager m : managers) {
|
||||
if (m instanceof X509TrustManager) {
|
||||
return (X509TrustManager) m;
|
||||
}
|
||||
}
|
||||
throw new IllegalStateException("no X509TrustManager found");
|
||||
}
|
||||
|
||||
protected static X509KeyManager chooseX509KeyManager(KeyManager[] kms) {
|
||||
for (KeyManager km : kms) {
|
||||
if (km instanceof X509KeyManager) {
|
||||
return (X509KeyManager) km;
|
||||
}
|
||||
}
|
||||
throw new IllegalStateException("no X509KeyManager found");
|
||||
}
|
||||
|
||||
/**
|
||||
* Translate a {@link ApplicationProtocolConfig} object to a
|
||||
* {@link OpenSslApplicationProtocolNegotiator} object.
|
||||
*
|
||||
* @param config The configuration which defines the translation
|
||||
* @return The results of the translation
|
||||
*/
|
||||
static OpenSslApplicationProtocolNegotiator toNegotiator(ApplicationProtocolConfig config) {
|
||||
if (config == null) {
|
||||
return NONE_PROTOCOL_NEGOTIATOR;
|
||||
}
|
||||
|
||||
switch (config.protocol()) {
|
||||
case NONE:
|
||||
return NONE_PROTOCOL_NEGOTIATOR;
|
||||
case ALPN:
|
||||
case NPN:
|
||||
case NPN_AND_ALPN:
|
||||
switch (config.selectedListenerFailureBehavior()) {
|
||||
case CHOOSE_MY_LAST_PROTOCOL:
|
||||
case ACCEPT:
|
||||
switch (config.selectorFailureBehavior()) {
|
||||
case CHOOSE_MY_LAST_PROTOCOL:
|
||||
case NO_ADVERTISE:
|
||||
return new OpenSslDefaultApplicationProtocolNegotiator(
|
||||
config);
|
||||
default:
|
||||
throw new UnsupportedOperationException(
|
||||
new StringBuilder("OpenSSL provider does not support ")
|
||||
.append(config.selectorFailureBehavior())
|
||||
.append(" behavior").toString());
|
||||
}
|
||||
default:
|
||||
throw new UnsupportedOperationException(
|
||||
new StringBuilder("OpenSSL provider does not support ")
|
||||
.append(config.selectedListenerFailureBehavior())
|
||||
.append(" behavior").toString());
|
||||
}
|
||||
default:
|
||||
throw new Error();
|
||||
}
|
||||
}
|
||||
|
||||
static boolean useExtendedTrustManager(X509TrustManager trustManager) {
|
||||
return PlatformDependent.javaVersion() >= 7 && trustManager instanceof X509ExtendedTrustManager;
|
||||
}
|
||||
|
||||
static boolean useExtendedKeyManager(X509KeyManager keyManager) {
|
||||
return PlatformDependent.javaVersion() >= 7 && keyManager instanceof X509ExtendedKeyManager;
|
||||
}
|
||||
|
||||
@Override
|
||||
public final int refCnt() {
|
||||
return refCnt.refCnt();
|
||||
}
|
||||
|
||||
@Override
|
||||
public final ReferenceCounted retain() {
|
||||
refCnt.retain();
|
||||
return this;
|
||||
}
|
||||
|
||||
@Override
|
||||
public final ReferenceCounted retain(int increment) {
|
||||
refCnt.retain(increment);
|
||||
return this;
|
||||
}
|
||||
|
||||
@Override
|
||||
public final ReferenceCounted touch() {
|
||||
refCnt.touch();
|
||||
return this;
|
||||
}
|
||||
|
||||
@Override
|
||||
public final ReferenceCounted touch(Object hint) {
|
||||
refCnt.touch(hint);
|
||||
return this;
|
||||
}
|
||||
|
||||
@Override
|
||||
public final boolean release() {
|
||||
return refCnt.release();
|
||||
}
|
||||
|
||||
@Override
|
||||
public final boolean release(int decrement) {
|
||||
return refCnt.release(decrement);
|
||||
}
|
||||
|
||||
abstract static class AbstractCertificateVerifier implements CertificateVerifier {
|
||||
private final OpenSslEngineMap engineMap;
|
||||
|
||||
AbstractCertificateVerifier(OpenSslEngineMap engineMap) {
|
||||
this.engineMap = engineMap;
|
||||
}
|
||||
|
||||
@Override
|
||||
public final int verify(long ssl, byte[][] chain, String auth) {
|
||||
X509Certificate[] peerCerts = certificates(chain);
|
||||
final ReferenceCountedOpenSslEngine engine = engineMap.get(ssl);
|
||||
try {
|
||||
verify(engine, peerCerts, auth);
|
||||
return CertificateVerifier.X509_V_OK;
|
||||
} catch (Throwable cause) {
|
||||
logger.debug("verification of certificate failed", cause);
|
||||
SSLHandshakeException e = new SSLHandshakeException("General OpenSslEngine problem");
|
||||
e.initCause(cause);
|
||||
engine.handshakeException = e;
|
||||
|
||||
if (cause instanceof OpenSslCertificateException) {
|
||||
return ((OpenSslCertificateException) cause).errorCode();
|
||||
}
|
||||
if (cause instanceof CertificateExpiredException) {
|
||||
return CertificateVerifier.X509_V_ERR_CERT_HAS_EXPIRED;
|
||||
}
|
||||
if (cause instanceof CertificateNotYetValidException) {
|
||||
return CertificateVerifier.X509_V_ERR_CERT_NOT_YET_VALID;
|
||||
}
|
||||
if (PlatformDependent.javaVersion() >= 7 && cause instanceof CertificateRevokedException) {
|
||||
return CertificateVerifier.X509_V_ERR_CERT_REVOKED;
|
||||
}
|
||||
return CertificateVerifier.X509_V_ERR_UNSPECIFIED;
|
||||
}
|
||||
}
|
||||
|
||||
abstract void verify(ReferenceCountedOpenSslEngine engine, X509Certificate[] peerCerts,
|
||||
String auth) throws Exception;
|
||||
}
|
||||
|
||||
private static final class DefaultOpenSslEngineMap implements OpenSslEngineMap {
|
||||
private final Map<Long, ReferenceCountedOpenSslEngine> engines = PlatformDependent.newConcurrentHashMap();
|
||||
|
||||
@Override
|
||||
public ReferenceCountedOpenSslEngine remove(long ssl) {
|
||||
return engines.remove(ssl);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void add(ReferenceCountedOpenSslEngine engine) {
|
||||
engines.put(engine.sslPointer(), engine);
|
||||
}
|
||||
|
||||
@Override
|
||||
public ReferenceCountedOpenSslEngine get(long ssl) {
|
||||
return engines.get(ssl);
|
||||
}
|
||||
}
|
||||
|
||||
static void setKeyMaterial(long ctx, X509Certificate[] keyCertChain, PrivateKey key, String keyPassword)
|
||||
throws SSLException {
|
||||
/* Load the certificate file and private key. */
|
||||
long keyBio = 0;
|
||||
long keyCertChainBio = 0;
|
||||
|
||||
try {
|
||||
keyCertChainBio = toBIO(keyCertChain);
|
||||
keyBio = toBIO(key);
|
||||
|
||||
SSLContext.setCertificateBio(
|
||||
ctx, keyCertChainBio, keyBio,
|
||||
keyPassword == null ? StringUtil.EMPTY_STRING : keyPassword, SSL.SSL_AIDX_RSA);
|
||||
// We may have more then one cert in the chain so add all of them now.
|
||||
SSLContext.setCertificateChainBio(ctx, keyCertChainBio, false);
|
||||
} catch (SSLException e) {
|
||||
throw e;
|
||||
} catch (Exception e) {
|
||||
throw new SSLException("failed to set certificate and key", e);
|
||||
} finally {
|
||||
if (keyBio != 0) {
|
||||
SSL.freeBIO(keyBio);
|
||||
}
|
||||
if (keyCertChainBio != 0) {
|
||||
SSL.freeBIO(keyCertChainBio);
|
||||
}
|
||||
}
|
||||
}
|
||||
/**
|
||||
* Return the pointer to a <a href="https://www.openssl.org/docs/crypto/BIO_get_mem_ptr.html">in-memory BIO</a>
|
||||
* or {@code 0} if the {@code key} is {@code null}. The BIO contains the content of the {@code key}.
|
||||
*/
|
||||
static long toBIO(PrivateKey key) throws Exception {
|
||||
if (key == null) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
ByteBufAllocator allocator = ByteBufAllocator.DEFAULT;
|
||||
PemEncoded pem = PemPrivateKey.toPEM(allocator, true, key);
|
||||
try {
|
||||
return toBIO(allocator, pem.retain());
|
||||
} finally {
|
||||
pem.release();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the pointer to a <a href="https://www.openssl.org/docs/crypto/BIO_get_mem_ptr.html">in-memory BIO</a>
|
||||
* or {@code 0} if the {@code certChain} is {@code null}. The BIO contains the content of the {@code certChain}.
|
||||
*/
|
||||
static long toBIO(X509Certificate... certChain) throws Exception {
|
||||
if (certChain == null) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (certChain.length == 0) {
|
||||
throw new IllegalArgumentException("certChain can't be empty");
|
||||
}
|
||||
|
||||
ByteBufAllocator allocator = ByteBufAllocator.DEFAULT;
|
||||
PemEncoded pem = PemX509Certificate.toPEM(allocator, true, certChain);
|
||||
try {
|
||||
return toBIO(allocator, pem.retain());
|
||||
} finally {
|
||||
pem.release();
|
||||
}
|
||||
}
|
||||
|
||||
private static long toBIO(ByteBufAllocator allocator, PemEncoded pem) throws Exception {
|
||||
try {
|
||||
// We can turn direct buffers straight into BIOs. No need to
|
||||
// make a yet another copy.
|
||||
ByteBuf content = pem.content();
|
||||
|
||||
if (content.isDirect()) {
|
||||
return newBIO(content.retainedSlice());
|
||||
}
|
||||
|
||||
ByteBuf buffer = allocator.directBuffer(content.readableBytes());
|
||||
try {
|
||||
buffer.writeBytes(content, content.readerIndex(), content.readableBytes());
|
||||
return newBIO(buffer.retainedSlice());
|
||||
} finally {
|
||||
try {
|
||||
// If the contents of the ByteBuf is sensitive (e.g. a PrivateKey) we
|
||||
// need to zero out the bytes of the copy before we're releasing it.
|
||||
if (pem.isSensitive()) {
|
||||
SslUtils.zeroout(buffer);
|
||||
}
|
||||
} finally {
|
||||
buffer.release();
|
||||
}
|
||||
}
|
||||
} finally {
|
||||
pem.release();
|
||||
}
|
||||
}
|
||||
|
||||
private static long newBIO(ByteBuf buffer) throws Exception {
|
||||
try {
|
||||
long bio = SSL.newMemBIO();
|
||||
int readable = buffer.readableBytes();
|
||||
if (SSL.writeToBIO(bio, OpenSsl.memoryAddress(buffer) + buffer.readerIndex(), readable) != readable) {
|
||||
SSL.freeBIO(bio);
|
||||
throw new IllegalStateException("Could not write data to memory BIO");
|
||||
}
|
||||
return bio;
|
||||
} finally {
|
||||
buffer.release();
|
||||
}
|
||||
}
|
||||
}
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,191 @@
|
||||
/*
|
||||
* Copyright 2016 The Netty Project
|
||||
*
|
||||
* The Netty Project licenses this file to you under the Apache License,
|
||||
* version 2.0 (the "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at:
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
* License for the specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
package io.netty.handler.ssl;
|
||||
|
||||
import org.apache.tomcat.jni.SSL;
|
||||
import org.apache.tomcat.jni.SSLContext;
|
||||
|
||||
import java.security.KeyStore;
|
||||
import java.security.PrivateKey;
|
||||
import java.security.cert.X509Certificate;
|
||||
|
||||
import javax.net.ssl.KeyManagerFactory;
|
||||
import javax.net.ssl.SSLException;
|
||||
import javax.net.ssl.TrustManagerFactory;
|
||||
import javax.net.ssl.X509ExtendedKeyManager;
|
||||
import javax.net.ssl.X509ExtendedTrustManager;
|
||||
import javax.net.ssl.X509KeyManager;
|
||||
import javax.net.ssl.X509TrustManager;
|
||||
|
||||
import static io.netty.util.internal.ObjectUtil.checkNotNull;
|
||||
|
||||
/**
|
||||
* A server-side {@link SslContext} which uses OpenSSL's SSL/TLS implementation.
|
||||
* <p>Instances of this class must be {@link #release() released} or else native memory will leak!
|
||||
*/
|
||||
public final class ReferenceCountedOpenSslServerContext extends ReferenceCountedOpenSslContext {
|
||||
private static final byte[] ID = new byte[] {'n', 'e', 't', 't', 'y'};
|
||||
private final OpenSslServerSessionContext sessionContext;
|
||||
private final OpenSslKeyMaterialManager keyMaterialManager;
|
||||
|
||||
ReferenceCountedOpenSslServerContext(
|
||||
X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
|
||||
X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
|
||||
Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
|
||||
long sessionCacheSize, long sessionTimeout, ClientAuth clientAuth) throws SSLException {
|
||||
this(trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword, keyManagerFactory, ciphers,
|
||||
cipherFilter, toNegotiator(apn), sessionCacheSize, sessionTimeout, clientAuth);
|
||||
}
|
||||
|
||||
private ReferenceCountedOpenSslServerContext(
|
||||
X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
|
||||
X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
|
||||
Iterable<String> ciphers, CipherSuiteFilter cipherFilter, OpenSslApplicationProtocolNegotiator apn,
|
||||
long sessionCacheSize, long sessionTimeout, ClientAuth clientAuth) throws SSLException {
|
||||
super(ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout, SSL.SSL_MODE_SERVER, keyCertChain,
|
||||
clientAuth, true);
|
||||
// Create a new SSL_CTX and configure it.
|
||||
boolean success = false;
|
||||
try {
|
||||
ServerContext context = newSessionContext(this, ctx, engineMap, trustCertCollection, trustManagerFactory,
|
||||
keyCertChain, key, keyPassword, keyManagerFactory);
|
||||
sessionContext = context.sessionContext;
|
||||
keyMaterialManager = context.keyMaterialManager;
|
||||
success = true;
|
||||
} finally {
|
||||
if (!success) {
|
||||
release();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public OpenSslServerSessionContext sessionContext() {
|
||||
return sessionContext;
|
||||
}
|
||||
|
||||
@Override
|
||||
OpenSslKeyMaterialManager keyMaterialManager() {
|
||||
return keyMaterialManager;
|
||||
}
|
||||
|
||||
static final class ServerContext {
|
||||
OpenSslServerSessionContext sessionContext;
|
||||
OpenSslKeyMaterialManager keyMaterialManager;
|
||||
}
|
||||
|
||||
static ServerContext newSessionContext(ReferenceCountedOpenSslContext thiz, long ctx, OpenSslEngineMap engineMap,
|
||||
X509Certificate[] trustCertCollection,
|
||||
TrustManagerFactory trustManagerFactory,
|
||||
X509Certificate[] keyCertChain, PrivateKey key,
|
||||
String keyPassword, KeyManagerFactory keyManagerFactory)
|
||||
throws SSLException {
|
||||
ServerContext result = new ServerContext();
|
||||
synchronized (ReferenceCountedOpenSslContext.class) {
|
||||
try {
|
||||
SSLContext.setVerify(ctx, SSL.SSL_CVERIFY_NONE, VERIFY_DEPTH);
|
||||
if (!OpenSsl.useKeyManagerFactory()) {
|
||||
if (keyManagerFactory != null) {
|
||||
throw new IllegalArgumentException(
|
||||
"KeyManagerFactory not supported");
|
||||
}
|
||||
checkNotNull(keyCertChain, "keyCertChain");
|
||||
|
||||
/* Set certificate verification policy. */
|
||||
SSLContext.setVerify(ctx, SSL.SSL_CVERIFY_NONE, VERIFY_DEPTH);
|
||||
|
||||
setKeyMaterial(ctx, keyCertChain, key, keyPassword);
|
||||
} else {
|
||||
// javadocs state that keyManagerFactory has precedent over keyCertChain, and we must have a
|
||||
// keyManagerFactory for the server so build one if it is not specified.
|
||||
if (keyManagerFactory == null) {
|
||||
keyManagerFactory = buildKeyManagerFactory(
|
||||
keyCertChain, key, keyPassword, keyManagerFactory);
|
||||
}
|
||||
X509KeyManager keyManager = chooseX509KeyManager(keyManagerFactory.getKeyManagers());
|
||||
result.keyMaterialManager = useExtendedKeyManager(keyManager) ?
|
||||
new OpenSslExtendedKeyMaterialManager(
|
||||
(X509ExtendedKeyManager) keyManager, keyPassword) :
|
||||
new OpenSslKeyMaterialManager(keyManager, keyPassword);
|
||||
}
|
||||
} catch (Exception e) {
|
||||
throw new SSLException("failed to set certificate and key", e);
|
||||
}
|
||||
try {
|
||||
if (trustCertCollection != null) {
|
||||
trustManagerFactory = buildTrustManagerFactory(trustCertCollection, trustManagerFactory);
|
||||
} else if (trustManagerFactory == null) {
|
||||
// Mimic the way SSLContext.getInstance(KeyManager[], null, null) works
|
||||
trustManagerFactory = TrustManagerFactory.getInstance(
|
||||
TrustManagerFactory.getDefaultAlgorithm());
|
||||
trustManagerFactory.init((KeyStore) null);
|
||||
}
|
||||
|
||||
final X509TrustManager manager = chooseTrustManager(trustManagerFactory.getTrustManagers());
|
||||
|
||||
// IMPORTANT: The callbacks set for verification must be static to prevent memory leak as
|
||||
// otherwise the context can never be collected. This is because the JNI code holds
|
||||
// a global reference to the callbacks.
|
||||
//
|
||||
// See https://github.com/netty/netty/issues/5372
|
||||
|
||||
// Use this to prevent an error when running on java < 7
|
||||
if (useExtendedTrustManager(manager)) {
|
||||
SSLContext.setCertVerifyCallback(ctx,
|
||||
new ExtendedTrustManagerVerifyCallback(engineMap, (X509ExtendedTrustManager) manager));
|
||||
} else {
|
||||
SSLContext.setCertVerifyCallback(ctx, new TrustManagerVerifyCallback(engineMap, manager));
|
||||
}
|
||||
} catch (Exception e) {
|
||||
throw new SSLException("unable to setup trustmanager", e);
|
||||
}
|
||||
}
|
||||
|
||||
result.sessionContext = new OpenSslServerSessionContext(thiz);
|
||||
result.sessionContext.setSessionIdContext(ID);
|
||||
return result;
|
||||
}
|
||||
|
||||
private static final class TrustManagerVerifyCallback extends AbstractCertificateVerifier {
|
||||
private final X509TrustManager manager;
|
||||
|
||||
TrustManagerVerifyCallback(OpenSslEngineMap engineMap, X509TrustManager manager) {
|
||||
super(engineMap);
|
||||
this.manager = manager;
|
||||
}
|
||||
|
||||
@Override
|
||||
void verify(ReferenceCountedOpenSslEngine engine, X509Certificate[] peerCerts, String auth)
|
||||
throws Exception {
|
||||
manager.checkClientTrusted(peerCerts, auth);
|
||||
}
|
||||
}
|
||||
|
||||
private static final class ExtendedTrustManagerVerifyCallback extends AbstractCertificateVerifier {
|
||||
private final X509ExtendedTrustManager manager;
|
||||
|
||||
ExtendedTrustManagerVerifyCallback(OpenSslEngineMap engineMap, X509ExtendedTrustManager manager) {
|
||||
super(engineMap);
|
||||
this.manager = manager;
|
||||
}
|
||||
|
||||
@Override
|
||||
void verify(ReferenceCountedOpenSslEngine engine, X509Certificate[] peerCerts, String auth)
|
||||
throws Exception {
|
||||
manager.checkClientTrusted(peerCerts, auth, engine);
|
||||
}
|
||||
}
|
||||
}
|
@ -396,8 +396,7 @@ public abstract class SslContext {
|
||||
X509Certificate[] trustCertCollection, TrustManagerFactory trustManagerFactory,
|
||||
X509Certificate[] keyCertChain, PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
|
||||
Iterable<String> ciphers, CipherSuiteFilter cipherFilter, ApplicationProtocolConfig apn,
|
||||
long sessionCacheSize, long sessionTimeout,
|
||||
ClientAuth clientAuth) throws SSLException {
|
||||
long sessionCacheSize, long sessionTimeout, ClientAuth clientAuth) throws SSLException {
|
||||
|
||||
if (provider == null) {
|
||||
provider = defaultServerProvider();
|
||||
@ -414,6 +413,11 @@ public abstract class SslContext {
|
||||
trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword,
|
||||
keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout,
|
||||
clientAuth);
|
||||
case OPENSSL_REFCNT:
|
||||
return new ReferenceCountedOpenSslServerContext(
|
||||
trustCertCollection, trustManagerFactory, keyCertChain, key, keyPassword,
|
||||
keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout,
|
||||
clientAuth);
|
||||
default:
|
||||
throw new Error(provider.toString());
|
||||
}
|
||||
@ -749,9 +753,13 @@ public abstract class SslContext {
|
||||
return new OpenSslClientContext(
|
||||
trustCert, trustManagerFactory, keyCertChain, key, keyPassword,
|
||||
keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
|
||||
case OPENSSL_REFCNT:
|
||||
return new ReferenceCountedOpenSslClientContext(
|
||||
trustCert, trustManagerFactory, keyCertChain, key, keyPassword,
|
||||
keyManagerFactory, ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout);
|
||||
default:
|
||||
throw new Error(provider.toString());
|
||||
}
|
||||
// Should never happen!!
|
||||
throw new Error();
|
||||
}
|
||||
|
||||
static ApplicationProtocolConfig toApplicationProtocolConfig(Iterable<String> nextProtocols) {
|
||||
@ -813,14 +821,17 @@ public abstract class SslContext {
|
||||
|
||||
/**
|
||||
* Creates a new {@link SSLEngine}.
|
||||
*
|
||||
* <p>If {@link SslProvider#OPENSSL_REFCNT} is used then the object must be released. One way to do this is to
|
||||
* wrap in a {@link SslHandler} and insert it into a pipeline. See {@link #newHandler(ByteBufAllocator)}.
|
||||
* @return a new {@link SSLEngine}
|
||||
*/
|
||||
public abstract SSLEngine newEngine(ByteBufAllocator alloc);
|
||||
|
||||
/**
|
||||
* Creates a new {@link SSLEngine} using advisory peer information.
|
||||
*
|
||||
* <p>If {@link SslProvider#OPENSSL_REFCNT} is used then the object must be released. One way to do this is to
|
||||
* wrap in a {@link SslHandler} and insert it into a pipeline.
|
||||
* See {@link #newHandler(ByteBufAllocator, String, int)}.
|
||||
* @param peerHost the non-authoritative name of the host
|
||||
* @param peerPort the non-authoritative port
|
||||
*
|
||||
@ -835,7 +846,9 @@ public abstract class SslContext {
|
||||
|
||||
/**
|
||||
* Creates a new {@link SslHandler}.
|
||||
*
|
||||
* <p>If {@link SslProvider#OPENSSL_REFCNT} is used then the returned {@link SslHandler} will release the engine
|
||||
* that is wrapped. If the returned {@link SslHandler} is not inserted into a pipeline then you may leak native
|
||||
* memory!
|
||||
* @return a new {@link SslHandler}
|
||||
*/
|
||||
public final SslHandler newHandler(ByteBufAllocator alloc) {
|
||||
@ -844,7 +857,9 @@ public abstract class SslContext {
|
||||
|
||||
/**
|
||||
* Creates a new {@link SslHandler} with advisory peer information.
|
||||
*
|
||||
* <p>If {@link SslProvider#OPENSSL_REFCNT} is used then the returned {@link SslHandler} will release the engine
|
||||
* that is wrapped. If the returned {@link SslHandler} is not inserted into a pipeline then you may leak native
|
||||
* memory!
|
||||
* @param peerHost the non-authoritative name of the host
|
||||
* @param peerPort the non-authoritative port
|
||||
*
|
||||
|
@ -385,6 +385,8 @@ public final class SslContextBuilder {
|
||||
|
||||
/**
|
||||
* Create new {@code SslContext} instance with configured settings.
|
||||
* <p>If {@link #sslProvider(SslProvider)} is set to {@link SslProvider#OPENSSL_REFCNT} then the caller is
|
||||
* responsible for releasing this object, or else native memory may leak.
|
||||
*/
|
||||
public SslContext build() throws SSLException {
|
||||
if (forServer) {
|
||||
|
@ -421,9 +421,8 @@ public class SslHandler extends ByteToMessageDecoder implements ChannelOutboundH
|
||||
// Check if queue is not empty first because create a new ChannelException is expensive
|
||||
pendingUnencryptedWrites.removeAndFailAll(new ChannelException("Pending write on removal of SslHandler"));
|
||||
}
|
||||
if (engine instanceof OpenSslEngine) {
|
||||
// Call shutdown so we ensure all the native memory is released asap
|
||||
((OpenSslEngine) engine).shutdown();
|
||||
if (engine instanceof ReferenceCountedOpenSslEngine) {
|
||||
((ReferenceCountedOpenSslEngine) engine).release();
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -16,6 +16,9 @@
|
||||
|
||||
package io.netty.handler.ssl;
|
||||
|
||||
import io.netty.util.ReferenceCounted;
|
||||
import io.netty.util.internal.UnstableApi;
|
||||
|
||||
/**
|
||||
* An enumeration of SSL/TLS protocol providers.
|
||||
*/
|
||||
@ -27,5 +30,10 @@ public enum SslProvider {
|
||||
/**
|
||||
* OpenSSL-based implementation.
|
||||
*/
|
||||
OPENSSL
|
||||
OPENSSL,
|
||||
/**
|
||||
* OpenSSL-based implementation which does not have finalizers and instead implements {@link ReferenceCounted}.
|
||||
*/
|
||||
@UnstableApi
|
||||
OPENSSL_REFCNT
|
||||
}
|
||||
|
@ -21,6 +21,7 @@ import io.netty.handler.ssl.ApplicationProtocolConfig.SelectedListenerFailureBeh
|
||||
import io.netty.handler.ssl.ApplicationProtocolConfig.SelectorFailureBehavior;
|
||||
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
|
||||
import io.netty.handler.ssl.util.SelfSignedCertificate;
|
||||
import io.netty.util.ReferenceCountUtil;
|
||||
import io.netty.util.internal.ThreadLocalRandom;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
@ -79,16 +80,19 @@ public class OpenSslEngineTest extends SSLEngineTest {
|
||||
}
|
||||
@Test
|
||||
public void testWrapHeapBuffersNoWritePendingError() throws Exception {
|
||||
final SslContext clientContext = SslContextBuilder.forClient()
|
||||
clientSslCtx = SslContextBuilder.forClient()
|
||||
.trustManager(InsecureTrustManagerFactory.INSTANCE)
|
||||
.sslProvider(sslProvider())
|
||||
.build();
|
||||
SelfSignedCertificate ssc = new SelfSignedCertificate();
|
||||
SslContext serverContext = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
|
||||
serverSslCtx = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
|
||||
.sslProvider(sslProvider())
|
||||
.build();
|
||||
SSLEngine clientEngine = clientContext.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
||||
SSLEngine serverEngine = serverContext.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
||||
SSLEngine clientEngine = null;
|
||||
SSLEngine serverEngine = null;
|
||||
try {
|
||||
clientEngine = clientSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
||||
serverEngine = serverSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
||||
handshake(clientEngine, serverEngine);
|
||||
|
||||
ByteBuffer src = ByteBuffer.allocate(1024 * 10);
|
||||
@ -100,6 +104,10 @@ public class OpenSslEngineTest extends SSLEngineTest {
|
||||
dst.position(0);
|
||||
assertSame(SSLEngineResult.Status.BUFFER_OVERFLOW, clientEngine.wrap(src, dst).getStatus());
|
||||
}
|
||||
} finally {
|
||||
cleanupSslEngine(clientEngine);
|
||||
cleanupSslEngine(serverEngine);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -0,0 +1,37 @@
|
||||
/*
|
||||
* Copyright 2016 The Netty Project
|
||||
*
|
||||
* The Netty Project licenses this file to you under the Apache License,
|
||||
* version 2.0 (the "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at:
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
* License for the specific language governing permissions and limitations
|
||||
* under the License.
|
||||
*/
|
||||
package io.netty.handler.ssl;
|
||||
|
||||
import io.netty.util.ReferenceCountUtil;
|
||||
|
||||
import javax.net.ssl.SSLEngine;
|
||||
|
||||
public class ReferenceCountedOpenSslEngineTest extends OpenSslEngineTest {
|
||||
@Override
|
||||
protected SslProvider sslProvider() {
|
||||
return SslProvider.OPENSSL_REFCNT;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void cleanupSslContext(SslContext ctx) {
|
||||
ReferenceCountUtil.release(ctx);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void cleanupSslEngine(SSLEngine engine) {
|
||||
ReferenceCountUtil.release(engine);
|
||||
}
|
||||
}
|
@ -130,6 +130,14 @@ public abstract class SSLEngineTest {
|
||||
serverChannel.close().sync();
|
||||
serverChannel = null;
|
||||
}
|
||||
if (serverSslCtx != null) {
|
||||
cleanupSslContext(serverSslCtx);
|
||||
serverSslCtx = null;
|
||||
}
|
||||
if (clientSslCtx != null) {
|
||||
cleanupSslContext(clientSslCtx);
|
||||
clientSslCtx = null;
|
||||
}
|
||||
Future<?> serverGroupShutdownFuture = null;
|
||||
Future<?> serverChildGroupShutdownFuture = null;
|
||||
Future<?> clientGroupShutdownFuture = null;
|
||||
@ -333,43 +341,58 @@ public abstract class SSLEngineTest {
|
||||
|
||||
@Test
|
||||
public void testGetCreationTime() throws Exception {
|
||||
SslContext context = SslContextBuilder.forClient().sslProvider(sslProvider()).build();
|
||||
SSLEngine engine = context.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
||||
clientSslCtx = SslContextBuilder.forClient().sslProvider(sslProvider()).build();
|
||||
SSLEngine engine = null;
|
||||
try {
|
||||
engine = clientSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
||||
assertTrue(engine.getSession().getCreationTime() <= System.currentTimeMillis());
|
||||
} finally {
|
||||
cleanupSslEngine(engine);
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSessionInvalidate() throws Exception {
|
||||
final SslContext clientContext = SslContextBuilder.forClient()
|
||||
clientSslCtx = SslContextBuilder.forClient()
|
||||
.trustManager(InsecureTrustManagerFactory.INSTANCE)
|
||||
.sslProvider(sslProvider())
|
||||
.build();
|
||||
SelfSignedCertificate ssc = new SelfSignedCertificate();
|
||||
SslContext serverContext = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
|
||||
serverSslCtx = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
|
||||
.sslProvider(sslProvider())
|
||||
.build();
|
||||
SSLEngine clientEngine = clientContext.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
||||
SSLEngine serverEngine = serverContext.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
||||
SSLEngine clientEngine = null;
|
||||
SSLEngine serverEngine = null;
|
||||
try {
|
||||
clientEngine = clientSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
||||
serverEngine = serverSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
||||
handshake(clientEngine, serverEngine);
|
||||
|
||||
SSLSession session = serverEngine.getSession();
|
||||
assertTrue(session.isValid());
|
||||
session.invalidate();
|
||||
assertFalse(session.isValid());
|
||||
} finally {
|
||||
cleanupSslEngine(clientEngine);
|
||||
cleanupSslEngine(serverEngine);
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testSSLSessionId() throws Exception {
|
||||
final SslContext clientContext = SslContextBuilder.forClient()
|
||||
clientSslCtx = SslContextBuilder.forClient()
|
||||
.trustManager(InsecureTrustManagerFactory.INSTANCE)
|
||||
.sslProvider(sslProvider())
|
||||
.build();
|
||||
SelfSignedCertificate ssc = new SelfSignedCertificate();
|
||||
SslContext serverContext = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
|
||||
serverSslCtx = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey())
|
||||
.sslProvider(sslProvider())
|
||||
.build();
|
||||
SSLEngine clientEngine = clientContext.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
||||
SSLEngine serverEngine = serverContext.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
||||
SSLEngine clientEngine = null;
|
||||
SSLEngine serverEngine = null;
|
||||
try {
|
||||
clientEngine = clientSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
||||
serverEngine = serverSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
||||
|
||||
// Before the handshake the id should have length == 0
|
||||
assertEquals(0, clientEngine.getSession().getId().length);
|
||||
@ -381,6 +404,10 @@ public abstract class SSLEngineTest {
|
||||
assertNotEquals(0, clientEngine.getSession().getId().length);
|
||||
assertNotEquals(0, serverEngine.getSession().getId().length);
|
||||
assertArrayEquals(clientEngine.getSession().getId(), serverEngine.getSession().getId());
|
||||
} finally {
|
||||
cleanupSslEngine(clientEngine);
|
||||
cleanupSslEngine(serverEngine);
|
||||
}
|
||||
}
|
||||
|
||||
@Test(timeout = 3000)
|
||||
@ -493,11 +520,11 @@ public abstract class SSLEngineTest {
|
||||
try {
|
||||
File serverKeyFile = new File(getClass().getResource("test_unencrypted.pem").getFile());
|
||||
File serverCrtFile = new File(getClass().getResource("test.crt").getFile());
|
||||
SslContext sslContext = SslContextBuilder.forServer(serverCrtFile, serverKeyFile)
|
||||
serverSslCtx = SslContextBuilder.forServer(serverCrtFile, serverKeyFile)
|
||||
.sslProvider(sslProvider())
|
||||
.build();
|
||||
|
||||
sslEngine = sslContext.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
||||
sslEngine = serverSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);
|
||||
|
||||
// Disable all protocols
|
||||
sslEngine.setEnabledProtocols(new String[]{});
|
||||
@ -518,6 +545,7 @@ public abstract class SSLEngineTest {
|
||||
if (sslEngine != null) {
|
||||
sslEngine.closeInbound();
|
||||
sslEngine.closeOutbound();
|
||||
cleanupSslEngine(sslEngine);
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -575,6 +603,18 @@ public abstract class SSLEngineTest {
|
||||
|
||||
protected abstract SslProvider sslProvider();
|
||||
|
||||
/**
|
||||
* Called from the test cleanup code and can be used to release the {@code ctx} if it must be done manually.
|
||||
*/
|
||||
protected void cleanupSslContext(SslContext ctx) {
|
||||
}
|
||||
|
||||
/**
|
||||
* Called when ever an SSLEngine is not wrapped by a {@link SslHandler} and inserted into a pipeline.
|
||||
*/
|
||||
protected void cleanupSslEngine(SSLEngine engine) {
|
||||
}
|
||||
|
||||
protected void setupHandlers(ApplicationProtocolConfig apn) throws InterruptedException, SSLException,
|
||||
CertificateException {
|
||||
setupHandlers(apn, apn);
|
||||
|
Loading…
Reference in New Issue
Block a user