javax.net.ssl.SSLEngineResult Java Examples

private void checkBufferOverflowOnUnWrap(SSLEngine wrappingEngine,
        SSLEngine unwrappingEngine)
        throws SSLException {
    String wrapperMode = wrappingEngine.getUseClientMode() ? "client"
            : "server";
    String unwrapperMode = unwrappingEngine.getUseClientMode() ? "client"
            : "server";
    if (wrapperMode.equals(unwrapperMode)) {
        throw new Error("Test error: both engines are in the same mode!");
    }
    System.out.println("================================================="
            + "===========");
    System.out.println("Testing SSLEngine buffer overflow"
            + " on unwrap by " + unwrapperMode);
    ByteBuffer app = ByteBuffer.wrap(MESSAGE.getBytes());
    ByteBuffer net = ByteBuffer
            .allocate(wrappingEngine.getSession().getPacketBufferSize());
    SSLEngineResult r = wrappingEngine.wrap(app, net);
    checkResult(r, SSLEngineResult.Status.OK);
    //Making app buffer size less than required by 1 byte.
    app = ByteBuffer.allocate(MESSAGE.length() - 1);
    net.flip();
    r = unwrappingEngine.unwrap(net, app);
    checkResult(r, SSLEngineResult.Status.BUFFER_OVERFLOW);
    System.out.println("Passed");
}
 

/**
 * performs the unwrap operation by unwrapping from {@link #inCrypt} to {@link #inData}
 **/
private synchronized ByteBuffer unwrap() throws SSLException {
    int rem;
    //There are some ssl test suites, which get around the selector.select() call, which cause an infinite unwrap and 100% cpu usage (see #459 and #458)
    if(readEngineResult.getStatus() == SSLEngineResult.Status.CLOSED && sslEngine.getHandshakeStatus() == HandshakeStatus.NOT_HANDSHAKING){
        try {
            close();
        } catch (IOException e) {
            //Not really interesting
        }
    }
    do {
        rem = inData.remaining();
        readEngineResult = sslEngine.unwrap( inCrypt, inData );
    } while ( readEngineResult.getStatus() == SSLEngineResult.Status.OK && ( rem != inData.remaining() || sslEngine.getHandshakeStatus() == HandshakeStatus.NEED_UNWRAP ) );
    inData.flip();
    return inData;
}
 

private SSLEngineResult callEngineWrap(ByteBufferSet source) throws SSLException {
  try {
    SSLEngineResult result =
        engine.wrap(source.array, source.offset, source.length, outEncrypted.buffer);
    if (logger.isTraceEnabled()) {
      logger.trace(
          "engine.wrap() result: [{}]; engine status: {}; srcBuffer: {}, outEncrypted: {}",
          Util.resultToString(result),
          result.getHandshakeStatus(),
          source,
          outEncrypted);
    }
    return result;
  } catch (SSLException e) {
    invalid = true;
    throw e;
  }
}
 

/**
 * {@link #read(ByteBuffer)} may not be to leave all buffers(inData, inCrypt)
 **/
private int readRemaining( ByteBuffer dst ) throws SSLException {
    if( inData.hasRemaining() ) {
        return transfereTo( inData, dst );
    }
    if( !inData.hasRemaining() )
        inData.clear();
    // test if some bytes left from last read (e.g. BUFFER_UNDERFLOW)
    if( inCrypt.hasRemaining() ) {
        unwrap();
        int amount = transfereTo( inData, dst );
        if (readEngineResult.getStatus() == SSLEngineResult.Status.CLOSED) {
            return -1;
        }
        if( amount > 0 )
            return amount;
    }
    return 0;
}
 

private void checkResult(SSLEngineResult result, boolean wrap)
        throws SSLException {

    handshakeStatus = result.getHandshakeStatus();
    resultStatus = result.getStatus();

    if (resultStatus != Status.OK &&
            (wrap || resultStatus != Status.BUFFER_UNDERFLOW)) {
        throw new SSLException("TODO");
    }
    if (wrap && result.bytesConsumed() != 0) {
        throw new SSLException("TODO");
    }
    if (!wrap && result.bytesProduced() != 0) {
        throw new SSLException("TODO");
    }
}
 

public SSLSocketChannel2(SocketChannel channel, SSLEngine sslEngine, ExecutorService exec,
                         SelectionKey key)
        throws IOException {
    if (channel == null || sslEngine == null || exec == null) {
        throw new IllegalArgumentException("parameter must not be null");
    }

    this.socketChannel = channel;
    this.sslEngine = sslEngine;
    this.exec = exec;

    readEngineResult = writeEngineResult =
            new SSLEngineResult(Status.BUFFER_UNDERFLOW, sslEngine.getHandshakeStatus(), 0,
                    0); // init to prevent NPEs

    tasks = new ArrayList<Future<?>>(3);
    if (key != null) {
        key.interestOps(key.interestOps() | SelectionKey.OP_WRITE);
        this.selectionKey = key;
    }
    createBuffers(sslEngine.getSession());
    // kick off handshake
    socketChannel.write(wrap(emptybuffer));// initializes res
    processHandshake();
}
 

/**
 * Sends a SSL close message, will not physically close the connection here.<br>
 * To close the connection, you could do something like
 * <pre><code>
 *   close();
 *   while (isOpen() && !myTimeoutFunction()) Thread.sleep(25);
 *   if ( isOpen() ) close(true); //forces a close if you timed out
 * </code></pre>
 * @throws IOException if an I/O error occurs
 * @throws IOException if there is data on the outgoing network buffer and we are unable to flush it
 * TODO Implement this java.io.Closeable method
 */
@Override
public void close() throws IOException {
    if (closing) return;
    closing = true;
    sslEngine.closeOutbound();

    if (!flush(netOutBuffer)) {
        throw new IOException("Remaining data in the network buffer, can't send SSL close message, force a close with close(true) instead");
    }
    //prep the buffer for the close message
    netOutBuffer.clear();
    //perform the close, since we called sslEngine.closeOutbound
    SSLEngineResult handshake = sslEngine.wrap(getEmptyBuf(), netOutBuffer);
    //we should be in a close state
    if (handshake.getStatus() != SSLEngineResult.Status.CLOSED) {
        throw new IOException("Invalid close state, will not send network data.");
    }
    //prepare the buffer for writing
    netOutBuffer.flip();
    //if there is data to be written
    flush(netOutBuffer);

    //is the channel closed?
    closed = (!netOutBuffer.hasRemaining() && (handshake.getHandshakeStatus() != HandshakeStatus.NEED_WRAP));
}
 

/**
 * Test for <code>toString()</code> method
 */
public void test_toString() {
    int[] pos = { 0, 1, 1000, Integer.MAX_VALUE, (Integer.MAX_VALUE - 1) };
    SSLEngineResult.Status [] enS =
        SSLEngineResult.Status.values();
    SSLEngineResult.HandshakeStatus [] enHS =
        SSLEngineResult.HandshakeStatus.values();
    for (int i = 0; i < enS.length; i++) {
        for (int j = 0; j < enHS.length; j++) {
            for (int n = 0; n < pos.length; n++) {
                for (int l = 0; l < pos.length; ++l) {
                    SSLEngineResult res = new SSLEngineResult(enS[i],
                            enHS[j], pos[n], pos[l]);
                    assertNotNull("Result of toSring() method is null",
                            res.toString());
                }
            }
        }
    }
}
 

/** Returns last {@link HandshakeStatus} of the loop */
private void wrapLoop(ByteBufferSet source) throws SSLException {
  while (true) {
    SSLEngineResult result = callEngineWrap(source);
    switch (result.getStatus()) {
      case OK:
      case CLOSED:
        return;
      case BUFFER_OVERFLOW:
        Util.assertTrue(result.bytesConsumed() == 0);
        outEncrypted.enlarge();
        break;
      case BUFFER_UNDERFLOW:
        throw new IllegalStateException();
    }
  }
}
 

SSLEngineResult wrap(ByteBuffer plainData) throws SSLException
{
  _buffers.prepareForWrap(plainData);
  SSLEngineResult result = doWrap();

  emitWrappedData(result);

  switch (result.getStatus()) {
    case BUFFER_UNDERFLOW:
      throw new RuntimeException("BUFFER_UNDERFLOW while wrapping!");
    case BUFFER_OVERFLOW:
      _buffers.grow(BufferType.OUT_CIPHER);
      if (plainData != null && plainData.hasRemaining()) {
        plainData.position(result.bytesConsumed());
        ByteBuffer remainingData = BufferUtils.slice(plainData);
        wrap(remainingData);
      }
      break;
    case OK:
      break;
    case CLOSED:
      _sessionClosedListener.onSessionClosed();
      break;
  }
  return result;
}
 

/**
 * Sends a SSL close message, will not physically close the connection here.<br>
 * To close the connection, you could do something like
 * <pre><code>
 *   close();
 *   while (isOpen() && !myTimeoutFunction()) Thread.sleep(25);
 *   if ( isOpen() ) close(true); //forces a close if you timed out
 * </code></pre>
 * @throws IOException if an I/O error occurs
 * @throws IOException if there is data on the outgoing network buffer and we are unable to flush it
 * TODO Implement this java.io.Closeable method
 */
@Override
public void close() throws IOException {
    if (closing) return;
    closing = true;
    sslEngine.closeOutbound();

    if (!flush(netOutBuffer)) {
        throw new IOException("Remaining data in the network buffer, can't send SSL close message, force a close with close(true) instead");
    }
    //prep the buffer for the close message
    netOutBuffer.clear();
    //perform the close, since we called sslEngine.closeOutbound
    SSLEngineResult handshake = sslEngine.wrap(getEmptyBuf(), netOutBuffer);
    //we should be in a close state
    if (handshake.getStatus() != SSLEngineResult.Status.CLOSED) {
        throw new IOException("Invalid close state, will not send network data.");
    }
    //prepare the buffer for writing
    netOutBuffer.flip();
    //if there is data to be written
    flush(netOutBuffer);

    //is the channel closed?
    closed = (!netOutBuffer.hasRemaining() && (handshake.getHandshakeStatus() != HandshakeStatus.NEED_WRAP));
}
 

/**
 * Performs the WRAP function
 * @param doWrite boolean
 * @return the result
 * @throws IOException An IO error occurred
 */
protected SSLEngineResult handshakeWrap(boolean doWrite) throws IOException {
    //this should never be called with a network buffer that contains data
    //so we can clear it here.
    netOutBuffer.clear();
    //perform the wrap
    getBufHandler().configureWriteBufferForRead();
    SSLEngineResult result = sslEngine.wrap(getBufHandler().getWriteBuffer(), netOutBuffer);
    //prepare the results to be written
    netOutBuffer.flip();
    //set the status
    handshakeStatus = result.getHandshakeStatus();
    //optimization, if we do have a writable channel, write it now
    if (doWrite) {
        flush(netOutBuffer);
    }
    return result;
}
 

@Override
SSLEngineResult unwrap(SslHandler handler, ByteBuf in, int readerIndex, int len, ByteBuf out)
        throws SSLException {
    int nioBufferCount = in.nioBufferCount();
    int writerIndex = out.writerIndex();
    final SSLEngineResult result;
    if (nioBufferCount > 1) {
        /*
         * Use a special unwrap method without additional memory copies.
         */
        try {
            handler.singleBuffer[0] = toByteBuffer(out, writerIndex, out.writableBytes());
            result = ((ConscryptAlpnSslEngine) handler.engine).unwrap(
                    in.nioBuffers(readerIndex, len),
                    handler.singleBuffer);
        } finally {
            handler.singleBuffer[0] = null;
        }
    } else {
        result = handler.engine.unwrap(toByteBuffer(in, readerIndex, len),
                toByteBuffer(out, writerIndex, out.writableBytes()));
    }
    out.writerIndex(writerIndex + result.bytesProduced());
    return result;
}
 

/**
 * 解密
 * @return
 * @throws SSLException
 */
private SSLEngineResult doUnwrap() throws SSLException {
	ByteBuffer cipherText = _buffers.get(BufferType.IN_CIPHER);
	ByteBuffer plainText = _buffers.get(BufferType.IN_PLAIN);
	try {
		log.info("{}, doUnwrap(解密): 密文buffer:{}, 明文buffer: {}", channelContext, cipherText, plainText);
		return _engine.unwrap(cipherText, plainText);
	} catch (SSLException e) {
		if (log.isInfoEnabled()) {
			byte[] bs = new byte[cipherText.limit()];
			System.arraycopy(cipherText.array(), 0, bs, 0, bs.length);
			log.error(channelContext + ", 解密Error:" + e.toString() + ", byte:" + StrUtil.arrayToString(bs) + ", string:" + new String(bs) + ", buffer:" + cipherText, e);
		}
		throw e;
	}
}
 

private SSLEngineResult callEngineUnwrap(ByteBufferSet dest) throws SSLException {
  inEncrypted.buffer.flip();
  try {
    SSLEngineResult result =
        engine.unwrap(inEncrypted.buffer, dest.array, dest.offset, dest.length);
    if (logger.isTraceEnabled()) {
      logger.trace(
          "engine.unwrap() result [{}]. Engine status: {}; inEncrypted {}; inPlain: {}",
          Util.resultToString(result),
          result.getHandshakeStatus(),
          inEncrypted,
          dest);
    }
    return result;
  } catch (SSLException e) {
    // something bad was received from the underlying channel, we cannot
    // continue
    invalid = true;
    throw e;
  } finally {
    inEncrypted.buffer.compact();
  }
}
 

public SSLSocketChannel2( SocketChannel channel , SSLEngine sslEngine , ExecutorService exec , SelectionKey key ) throws IOException {
    if( channel == null || sslEngine == null || exec == null )
        throw new IllegalArgumentException( "parameter must not be null" );

    this.socketChannel = channel;
    this.sslEngine = sslEngine;
    this.exec = exec;

    readEngineResult = writeEngineResult = new SSLEngineResult( Status.BUFFER_UNDERFLOW, sslEngine.getHandshakeStatus(), 0, 0 ); // init to prevent NPEs

    tasks = new ArrayList<Future<?>>( 3 );
    if( key != null ) {
        key.interestOps( key.interestOps() | SelectionKey.OP_WRITE );
        this.selectionKey = key;
    }
    createBuffers( sslEngine.getSession() );
    // kick off handshake
    socketChannel.write( wrap( emptybuffer ) );// initializes res
    processHandshake();
}
 

private SSLEngineResult.HandshakeStatus mayFinishHandshake(SSLEngineResult.HandshakeStatus status)
        throws SSLException {
    if (status == NOT_HANDSHAKING && handshakeState != HandshakeState.FINISHED) {
        // If the status was NOT_HANDSHAKING and we not finished the handshake we need to call
        // SSL_do_handshake() again
        return handshake();
    }
    return status;
}
 

/**
 * Executes all the tasks needed on the same thread.
 * @return HandshakeStatus
 */
protected SSLEngineResult.HandshakeStatus tasks() {
    Runnable r = null;
    while ( (r = sslEngine.getDelegatedTask()) != null) {
        r.run();
    }
    return sslEngine.getHandshakeStatus();
}
 

public SSLEngineResult unwrap(final ByteBuffer src, final ByteBuffer[] dsts, final int offset, final int length) throws SSLException {
    SSLEngine next;
    final int mark = src.position();
    try {
        if (src.remaining() < SNISSLExplorer.RECORD_HEADER_SIZE) {
            packetBufferSize = SNISSLExplorer.RECORD_HEADER_SIZE;
            return UNDERFLOW_UNWRAP;
        }
        final int requiredSize = SNISSLExplorer.getRequiredSize(src);
        if (src.remaining() < requiredSize) {
            packetBufferSize = requiredSize;
            return UNDERFLOW_UNWRAP;
        }
        List<SNIServerName> names = SNISSLExplorer.explore(src);
        SSLContext sslContext = selector.getContext(names);
        if (sslContext == null) {
            // no SSL context is available
            throw UndertowMessages.MESSAGES.noContextForSslConnection();
        }
        next = engineFunction.apply(sslContext);
        next.setUseClientMode(false);
        final int flagsVal = flags.get();
        if ((flagsVal & FL_WANT_C_AUTH) != 0) {
            next.setWantClientAuth(true);
        } else if ((flagsVal & FL_NEED_C_AUTH) != 0) {
            next.setNeedClientAuth(true);
        }
        if ((flagsVal & FL_SESSION_CRE) != 0) {
            next.setEnableSessionCreation(true);
        }
        next = selectionCallback.apply(next);
        currentRef.set(next);
    } finally {
        src.position(mark);
    }
    return next.unwrap(src, dsts, offset, length);
}
 

@Test
public void testSSLEngineUnwrapNoSslRecord() throws Exception {
    clientSslCtx = SslContextBuilder
            .forClient()
            .sslProvider(sslClientProvider())
            .build();
    SSLEngine client = clientSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);

    try {
        ByteBuffer src = allocateBuffer(client.getSession().getApplicationBufferSize());
        ByteBuffer dst = allocateBuffer(client.getSession().getPacketBufferSize());
        ByteBuffer empty = allocateBuffer(0);

        SSLEngineResult clientResult = client.wrap(empty, dst);
        assertEquals(SSLEngineResult.Status.OK, clientResult.getStatus());
        assertEquals(SSLEngineResult.HandshakeStatus.NEED_UNWRAP, clientResult.getHandshakeStatus());

        try {
            client.unwrap(src, dst);
            fail();
        } catch (SSLException expected) {
            // expected
        }
    } finally {
        cleanupClientSslEngine(client);
    }
}
 

@Test
public void testWrapAfterCloseOutbound() throws Exception {
    SelfSignedCertificate cert = new SelfSignedCertificate();

    clientSslCtx = SslContextBuilder
            .forClient()
            .trustManager(cert.cert())
            .sslProvider(sslClientProvider())
            .build();
    SSLEngine client = clientSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);

    serverSslCtx = SslContextBuilder
            .forServer(cert.certificate(), cert.privateKey())
            .sslProvider(sslServerProvider())
            .build();
    SSLEngine server = serverSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);

    try {
        ByteBuffer dst = allocateBuffer(client.getSession().getPacketBufferSize());
        ByteBuffer src = allocateBuffer(1024);

        handshake(client, server);

        // This will produce a close_notify
        client.closeOutbound();
        SSLEngineResult result = client.wrap(src, dst);
        assertEquals(SSLEngineResult.Status.CLOSED, result.getStatus());
        assertEquals(0, result.bytesConsumed());
        assertTrue(result.bytesProduced() > 0);

        assertTrue(client.isOutboundDone());
        assertFalse(client.isInboundDone());
    } finally {
        cert.delete();
        cleanupClientSslEngine(client);
        cleanupServerSslEngine(server);
    }
}
 

private void emitPlainData(SSLEngineResult result) {
	if (result.bytesProduced() > 0) {
		ByteBuffer internalPlainBuffer = _buffers.get(BufferType.IN_PLAIN);
		ByteBuffer plainBuffer = (makeExternalBuffer(internalPlainBuffer));
		_sslListener.onPlainData(plainBuffer);
	}

}
 

void handleUnwrapResult(SSLEngineResult result) throws SSLException {
	if (result.getHandshakeStatus().equals(SSLEngineResult.HandshakeStatus.FINISHED)) {
		handshakeFinished(); //客户端会走到这一行
	} else {
		shakehands();
	}
}
 

/**
 * Runs delegated handshaking tasks.
 * 
 * @return the handshake status.
 */
private SSLEngineResult.HandshakeStatus runTasks()
{
    Runnable runnable;
    while ((runnable = sslEngine.getDelegatedTask()) != null)
    {
        runnable.run();
    }
    return sslEngine.getHandshakeStatus();
}
 

private void renegotiateIfNeeded(SSLEngineResult res) throws SSLException {
	if (   (res.getStatus()           != SSLEngineResult.Status.CLOSED)           
	    && (res.getStatus()           != SSLEngineResult.Status.BUFFER_UNDERFLOW) 
		&& (res.getHandshakeStatus()  != SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING)) {
		// Renegotiation required.
		handshakeComplete = false;
		handshakeStatus = res.getHandshakeStatus();
		handshake0();
	}
}
 

private static void runDelegatedTasks(SSLEngineResult result,
        SSLEngine engine) throws Exception {

    if (result.getHandshakeStatus() == HandshakeStatus.NEED_TASK) {
        Runnable runnable;
        while ((runnable = engine.getDelegatedTask()) != null) {
            runnable.run();
        }
        HandshakeStatus hsStatus = engine.getHandshakeStatus();
        if (hsStatus == HandshakeStatus.NEED_TASK) {
            throw new Exception(
                "handshake shouldn't need additional tasks");
        }
    }
}
 

private void updateCipherAndProtocolName(SSLEngineResult result)
{
    if (result.getHandshakeStatus() == HandshakeStatus.FINISHED)
    {
        _cipherName = _sslEngine.getCipherSuite();
        _protocolName = _sslEngine.getProtocol();
    }
}
 

@Override
public final synchronized SSLEngineResult unwrap(ByteBuffer src, ByteBuffer[] dsts) throws SSLException {
    try {
        return unwrap(singleSrcBuffer(src), dsts);
    } finally {
        resetSingleSrcBuffer();
    }
}
 

public static void println(SSLEngineResult result){
    println(String.format(
            "RESULT: %5d %5d %-16s %-15s",
            result.bytesConsumed(), result.bytesProduced(),
            result.getStatus(), result.getHandshakeStatus()
    ));
}
 

private void checkStatus(SSLEngineResult res) throws SSLException {
    SSLEngineResult.Status status = res.getStatus();

    /*
     * The status may be:
     * OK          - Normal operation
     * OVERFLOW    - Should never happen since the application buffer is sized to hold the maximum packet size.
     * UNDERFLOW   - Need to read more data from the socket. It's normal.
     * CLOSED      - The other peer closed the socket. Also normal.
     */
    if (status == SSLEngineResult.Status.BUFFER_OVERFLOW) {
        throw new SSLException("SSLEngine error during decrypt: " + status + " inNetBuffer: " + inNetBuffer + "appBuffer: " + appBuffer);
    }
}