Package io.netty.handler.ssl

Class ReferenceCountedOpenSslEngine

    • Field Detail

      • OPENSSL_OP_NO_PROTOCOL_INDEX_SSLV2

        private static final int OPENSSL_OP_NO_PROTOCOL_INDEX_SSLV2
        See Also:
        Constant Field Values

      • OPENSSL_OP_NO_PROTOCOL_INDEX_SSLV3

        private static final int OPENSSL_OP_NO_PROTOCOL_INDEX_SSLV3
        See Also:
        Constant Field Values

      • OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1

        private static final int OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1
        See Also:
        Constant Field Values

      • OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_1

        private static final int OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_1
        See Also:
        Constant Field Values

      • OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_2

        private static final int OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_2
        See Also:
        Constant Field Values

      • OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_3

        private static final int OPENSSL_OP_NO_PROTOCOL_INDEX_TLSv1_3
        See Also:
        Constant Field Values

      • OPENSSL_OP_NO_PROTOCOLS

        private static final int[] OPENSSL_OP_NO_PROTOCOLS

      • MAX_PLAINTEXT_LENGTH

        static final int MAX_PLAINTEXT_LENGTH
        Depends upon tcnative ... only use if tcnative is available!

      • MAX_RECORD_SIZE

        static final int MAX_RECORD_SIZE
        Depends upon tcnative ... only use if tcnative is available!

      • NEED_UNWRAP_OK

        private static final javax.net.ssl.SSLEngineResult NEED_UNWRAP_OK

      • NEED_UNWRAP_CLOSED

        private static final javax.net.ssl.SSLEngineResult NEED_UNWRAP_CLOSED

      • NEED_WRAP_OK

        private static final javax.net.ssl.SSLEngineResult NEED_WRAP_OK

      • NEED_WRAP_CLOSED

        private static final javax.net.ssl.SSLEngineResult NEED_WRAP_CLOSED

      • CLOSED_NOT_HANDSHAKING

        private static final javax.net.ssl.SSLEngineResult CLOSED_NOT_HANDSHAKING

      • ssl

        private long ssl

      • networkBIO

        private long networkBIO

      • receivedShutdown

        private boolean receivedShutdown

      • destroyed

        private volatile boolean destroyed

      • applicationProtocol

        private volatile java.lang.String applicationProtocol

      • needTask

        private volatile boolean needTask

      • hasTLSv13Cipher

        private boolean hasTLSv13Cipher

      • sessionSet

        private boolean sessionSet

      • enabledProtocols

        private final java.util.Set<java.lang.String> enabledProtocols

      • clientAuth

        private volatile ClientAuth clientAuth

      • endpointIdentificationAlgorithm

        private java.lang.String endpointIdentificationAlgorithm

      • algorithmConstraints

        private java.lang.Object algorithmConstraints

      • sniHostNames

        private java.util.List<java.lang.String> sniHostNames

      • matchers

        private volatile java.util.Collection<?> matchers

      • isInboundDone

        private boolean isInboundDone

      • outboundClosed

        private boolean outboundClosed

      • jdkCompatibilityMode

        final boolean jdkCompatibilityMode

      • clientMode

        private final boolean clientMode

      • singleSrcBuffer

        private final java.nio.ByteBuffer[] singleSrcBuffer

      • singleDstBuffer

        private final java.nio.ByteBuffer[] singleDstBuffer

      • enableOcsp

        private final boolean enableOcsp

      • maxWrapOverhead

        private int maxWrapOverhead

      • maxWrapBufferSize

        private int maxWrapBufferSize

      • pendingException

        private java.lang.Throwable pendingException

      • JAVAX_CERTS_NOT_SUPPORTED

        private static final javax.security.cert.X509Certificate[] JAVAX_CERTS_NOT_SUPPORTED

    • Constructor Detail

      • ReferenceCountedOpenSslEngine

        ReferenceCountedOpenSslEngine​(ReferenceCountedOpenSslContext context,
                              ByteBufAllocator alloc,
                              java.lang.String peerHost,
                              int peerPort,
                              boolean jdkCompatibilityMode,
                              boolean leakDetection,
                              java.lang.String endpointIdentificationAlgorithm)
        Create a new instance.
        Parameters:
        context - Reference count release responsibility is not transferred! The callee still owns this object.
        alloc - The allocator to use.
        peerHost - The peer host name.
        peerPort - The peer port.
        jdkCompatibilityMode - true to behave like described in https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLEngine.html. false allows for partial and/or multiple packets to be process in a single wrap or unwrap call.
        leakDetection - true to enable leak detection of this object.

    • Method Detail

      • authMethods

        final java.lang.String[] authMethods()

      • setKeyMaterial

        final boolean setKeyMaterial​(OpenSslKeyMaterial keyMaterial)
                      throws java.lang.Exception
        Throws:
        java.lang.Exception

      • masterKey

        final javax.crypto.spec.SecretKeySpec masterKey()

      • isSessionReused

        boolean isSessionReused()

      • setOcspResponse

        @UnstableApi
public void setOcspResponse​(byte[] response)
        Sets the OCSP response.

      • getOcspResponse

        @UnstableApi
public byte[] getOcspResponse()
        Returns the OCSP response or null if the server didn't provide a stapled OCSP response.

      • refCnt

        public final int refCnt()
        Description copied from interface: ReferenceCounted
        Returns the reference count of this object. If 0, it means this object has been deallocated.
        Specified by:
        refCnt in interface ReferenceCounted

      • touch

        public final ReferenceCounted touch​(java.lang.Object hint)
        Description copied from interface: ReferenceCounted
        Records the current access location of this object with an additional arbitrary information for debugging purposes. If this object is determined to be leaked, the information recorded by this operation will be provided to you via ResourceLeakDetector.
        Specified by:
        touch in interface ReferenceCounted

      • release

        public final boolean release()
        Description copied from interface: ReferenceCounted
        Decreases the reference count by 1 and deallocates this object if the reference count reaches at 0.
        Specified by:
        release in interface ReferenceCounted
        Returns:
        true if and only if the reference count became 0 and this object has been deallocated

      • release

        public final boolean release​(int decrement)
        Description copied from interface: ReferenceCounted
        Decreases the reference count by the specified decrement and deallocates this object if the reference count reaches at 0.
        Specified by:
        release in interface ReferenceCounted
        Returns:
        true if and only if the reference count became 0 and this object has been deallocated

      • getApplicationProtocol

        public java.lang.String getApplicationProtocol()
        Overrides:
        getApplicationProtocol in class javax.net.ssl.SSLEngine

      • getHandshakeApplicationProtocol

        public java.lang.String getHandshakeApplicationProtocol()
        Overrides:
        getHandshakeApplicationProtocol in class javax.net.ssl.SSLEngine

      • getHandshakeSession

        public final javax.net.ssl.SSLSession getHandshakeSession()
        Overrides:
        getHandshakeSession in class javax.net.ssl.SSLEngine

      • sslPointer

        public final long sslPointer()
        Returns the pointer to the SSL object for this ReferenceCountedOpenSslEngine. Be aware that it is freed as soon as the release() or shutdown() methods are called. At this point 0 will be returned.

      • shutdown

        public final void shutdown()
        Destroys this engine.

      • writePlaintextData

        private int writePlaintextData​(java.nio.ByteBuffer src,
                               int len)
        Write plaintext data to the OpenSSL internal BIO Calling this function with src.remaining == 0 is undefined.

      • bioSetFd

        void bioSetFd​(int fd)

      • writeEncryptedData

        private ByteBuf writeEncryptedData​(java.nio.ByteBuffer src,
                                   int len)
                            throws javax.net.ssl.SSLException
        Write encrypted data to the OpenSSL network BIO.
        Throws:
        javax.net.ssl.SSLException

      • readPlaintextData

        private int readPlaintextData​(java.nio.ByteBuffer dst)
                       throws javax.net.ssl.SSLException
        Read plaintext data from the OpenSSL internal BIO
        Throws:
        javax.net.ssl.SSLException

      • maxWrapOverhead

        final int maxWrapOverhead()
        Visible only for testing!

      • maxEncryptedPacketLength

        final int maxEncryptedPacketLength()
        Visible only for testing!

      • maxEncryptedPacketLength0

        final int maxEncryptedPacketLength0()
        This method is intentionally not synchronized, only use if you know you are in the EventLoop thread and visibility on maxWrapOverhead is achieved via other synchronized blocks.

      • calculateMaxLengthForWrap

        final int calculateMaxLengthForWrap​(int plaintextLength,
                                    int numComponents)
        This method is intentionally not synchronized, only use if you know you are in the EventLoop thread and visibility on maxWrapBufferSize and maxWrapOverhead is achieved via other synchronized blocks.
        Calculates the max size of a single wrap operation for the given plaintextLength and numComponents.

      • calculateOutNetBufSize

        final int calculateOutNetBufSize​(int plaintextLength,
                                 int numComponents)
        This method is intentionally not synchronized, only use if you know you are in the EventLoop thread and visibility on maxWrapOverhead is achieved via other synchronized blocks.
        Calculates the size of the out net buf to create for the given plaintextLength and numComponents. This is not related to the max size per wrap, as we can wrap chunks at a time into one out net buf.

      • sslPending

        final int sslPending()

      • calculateMaxWrapOverhead

        private void calculateMaxWrapOverhead()
        It is assumed this method is called in a synchronized block (or the constructor)!

      • sslPending0

        private int sslPending0()

      • isBytesAvailableEnoughForWrap

        private boolean isBytesAvailableEnoughForWrap​(int bytesAvailable,
                                              int plaintextLength,
                                              int numComponents)

      • wrap

        public final javax.net.ssl.SSLEngineResult wrap​(java.nio.ByteBuffer[] srcs,
                                                int offset,
                                                int length,
                                                java.nio.ByteBuffer dst)
                                         throws javax.net.ssl.SSLException
        Specified by:
        wrap in class javax.net.ssl.SSLEngine
        Throws:
        javax.net.ssl.SSLException

      • newResult

        private javax.net.ssl.SSLEngineResult newResult​(javax.net.ssl.SSLEngineResult.HandshakeStatus hs,
                                                int bytesConsumed,
                                                int bytesProduced)

      • newResult

        private javax.net.ssl.SSLEngineResult newResult​(javax.net.ssl.SSLEngineResult.Status status,
                                                javax.net.ssl.SSLEngineResult.HandshakeStatus hs,
                                                int bytesConsumed,
                                                int bytesProduced)

      • newResultMayFinishHandshake

        private javax.net.ssl.SSLEngineResult newResultMayFinishHandshake​(javax.net.ssl.SSLEngineResult.HandshakeStatus hs,
                                                                  int bytesConsumed,
                                                                  int bytesProduced)
                                                           throws javax.net.ssl.SSLException
        Throws:
        javax.net.ssl.SSLException

      • newResultMayFinishHandshake

        private javax.net.ssl.SSLEngineResult newResultMayFinishHandshake​(javax.net.ssl.SSLEngineResult.Status status,
                                                                  javax.net.ssl.SSLEngineResult.HandshakeStatus hs,
                                                                  int bytesConsumed,
                                                                  int bytesProduced)
                                                           throws javax.net.ssl.SSLException
        Throws:
        javax.net.ssl.SSLException

      • shutdownWithError

        private javax.net.ssl.SSLException shutdownWithError​(java.lang.String operation,
                                                     int sslError,
                                                     int error)
        Log the error, shutdown the engine and throw an exception.

      • handleUnwrapException

        private javax.net.ssl.SSLEngineResult handleUnwrapException​(int bytesConsumed,
                                                            int bytesProduced,
                                                            javax.net.ssl.SSLException e)
                                                     throws javax.net.ssl.SSLException
        Throws:
        javax.net.ssl.SSLException

      • unwrap

        public final javax.net.ssl.SSLEngineResult unwrap​(java.nio.ByteBuffer[] srcs,
                                                  int srcsOffset,
                                                  int srcsLength,
                                                  java.nio.ByteBuffer[] dsts,
                                                  int dstsOffset,
                                                  int dstsLength)
                                           throws javax.net.ssl.SSLException
        Throws:
        javax.net.ssl.SSLException

      • needWrapAgain

        private boolean needWrapAgain​(int stackError)

      • newSSLExceptionForError

        private javax.net.ssl.SSLException newSSLExceptionForError​(int stackError)

      • shouldAddSuppressed

        private static boolean shouldAddSuppressed​(java.lang.Throwable target,
                                           int errorCode)

      • sslReadErrorResult

        private javax.net.ssl.SSLEngineResult sslReadErrorResult​(int error,
                                                         int stackError,
                                                         int bytesConsumed,
                                                         int bytesProduced)
                                                  throws javax.net.ssl.SSLException
        Throws:
        javax.net.ssl.SSLException

      • closeAll

        private void closeAll()
               throws javax.net.ssl.SSLException
        Throws:
        javax.net.ssl.SSLException

      • rejectRemoteInitiatedRenegotiation

        private void rejectRemoteInitiatedRenegotiation()
                                         throws javax.net.ssl.SSLHandshakeException
        Throws:
        javax.net.ssl.SSLHandshakeException

      • unwrap

        public final javax.net.ssl.SSLEngineResult unwrap​(java.nio.ByteBuffer[] srcs,
                                                  java.nio.ByteBuffer[] dsts)
                                           throws javax.net.ssl.SSLException
        Throws:
        javax.net.ssl.SSLException

      • singleSrcBuffer

        private java.nio.ByteBuffer[] singleSrcBuffer​(java.nio.ByteBuffer src)

      • resetSingleSrcBuffer

        private void resetSingleSrcBuffer()

      • singleDstBuffer

        private java.nio.ByteBuffer[] singleDstBuffer​(java.nio.ByteBuffer src)

      • resetSingleDstBuffer

        private void resetSingleDstBuffer()

      • unwrap

        public final javax.net.ssl.SSLEngineResult unwrap​(java.nio.ByteBuffer src,
                                                  java.nio.ByteBuffer[] dsts,
                                                  int offset,
                                                  int length)
                                           throws javax.net.ssl.SSLException
        Specified by:
        unwrap in class javax.net.ssl.SSLEngine
        Throws:
        javax.net.ssl.SSLException

      • wrap

        public final javax.net.ssl.SSLEngineResult wrap​(java.nio.ByteBuffer src,
                                                java.nio.ByteBuffer dst)
                                         throws javax.net.ssl.SSLException
        Overrides:
        wrap in class javax.net.ssl.SSLEngine
        Throws:
        javax.net.ssl.SSLException

      • unwrap

        public final javax.net.ssl.SSLEngineResult unwrap​(java.nio.ByteBuffer src,
                                                  java.nio.ByteBuffer dst)
                                           throws javax.net.ssl.SSLException
        Overrides:
        unwrap in class javax.net.ssl.SSLEngine
        Throws:
        javax.net.ssl.SSLException

      • unwrap

        public final javax.net.ssl.SSLEngineResult unwrap​(java.nio.ByteBuffer src,
                                                  java.nio.ByteBuffer[] dsts)
                                           throws javax.net.ssl.SSLException
        Overrides:
        unwrap in class javax.net.ssl.SSLEngine
        Throws:
        javax.net.ssl.SSLException

      • runAndResetNeedTask

        private void runAndResetNeedTask​(java.lang.Runnable task)

      • getDelegatedTask

        public final java.lang.Runnable getDelegatedTask()
        Specified by:
        getDelegatedTask in class javax.net.ssl.SSLEngine

      • closeInbound

        public final void closeInbound()
                        throws javax.net.ssl.SSLException
        Specified by:
        closeInbound in class javax.net.ssl.SSLEngine
        Throws:
        javax.net.ssl.SSLException

      • isInboundDone

        public final boolean isInboundDone()
        Specified by:
        isInboundDone in class javax.net.ssl.SSLEngine

      • closeOutbound

        public final void closeOutbound()
        Specified by:
        closeOutbound in class javax.net.ssl.SSLEngine

      • doSSLShutdown

        private boolean doSSLShutdown()
        Attempt to call SSL.shutdownSSL(long).
        Returns:
        false if the call to SSL.shutdownSSL(long) was not attempted or returned an error.

      • isOutboundDone

        public final boolean isOutboundDone()
        Specified by:
        isOutboundDone in class javax.net.ssl.SSLEngine

      • getSupportedCipherSuites

        public final java.lang.String[] getSupportedCipherSuites()
        Specified by:
        getSupportedCipherSuites in class javax.net.ssl.SSLEngine

      • getEnabledCipherSuites

        public final java.lang.String[] getEnabledCipherSuites()
        Specified by:
        getEnabledCipherSuites in class javax.net.ssl.SSLEngine

      • setEnabledCipherSuites

        public final void setEnabledCipherSuites​(java.lang.String[] cipherSuites)
        Specified by:
        setEnabledCipherSuites in class javax.net.ssl.SSLEngine

      • getSupportedProtocols

        public final java.lang.String[] getSupportedProtocols()
        Specified by:
        getSupportedProtocols in class javax.net.ssl.SSLEngine

      • getEnabledProtocols

        public final java.lang.String[] getEnabledProtocols()
        Specified by:
        getEnabledProtocols in class javax.net.ssl.SSLEngine

      • isProtocolEnabled

        private static boolean isProtocolEnabled​(int opts,
                                         int disableMask,
                                         java.lang.String protocolString)

      • setEnabledProtocols

        public final void setEnabledProtocols​(java.lang.String[] protocols)
        TLS doesn't support a way to advertise non-contiguous versions from the client's perspective, and the client just advertises the max supported version. The TLS protocol also doesn't support all different combinations of discrete protocols, and instead assumes contiguous ranges. OpenSSL has some unexpected behavior (e.g. handshake failures) if non-contiguous protocols are used even where there is a compatible set of protocols and ciphers. For these reasons this method will determine the minimum protocol and the maximum protocol and enabled a contiguous range from [min protocol, max protocol] in OpenSSL.
        Specified by:
        setEnabledProtocols in class javax.net.ssl.SSLEngine

      • setEnabledProtocols0

        private void setEnabledProtocols0​(java.lang.String[] protocols,
                                  boolean explicitDisableTLSv13)

      • getSession

        public final javax.net.ssl.SSLSession getSession()
        Specified by:
        getSession in class javax.net.ssl.SSLEngine

      • beginHandshake

        public final void beginHandshake()
                          throws javax.net.ssl.SSLException
        Specified by:
        beginHandshake in class javax.net.ssl.SSLEngine
        Throws:
        javax.net.ssl.SSLException

      • checkEngineClosed

        private void checkEngineClosed()
                        throws javax.net.ssl.SSLException
        Throws:
        javax.net.ssl.SSLException

      • pendingStatus

        private static javax.net.ssl.SSLEngineResult.HandshakeStatus pendingStatus​(int pendingStatus)

      • isEmpty

        private static boolean isEmpty​(java.lang.Object[] arr)

      • isEmpty

        private static boolean isEmpty​(byte[] cert)

      • handshakeException

        private javax.net.ssl.SSLEngineResult.HandshakeStatus handshakeException()
                                                                  throws javax.net.ssl.SSLException
        Throws:
        javax.net.ssl.SSLException

      • initHandshakeException

        final void initHandshakeException​(java.lang.Throwable cause)
        Should be called if the handshake will be failed due a callback that throws an exception. This cause will then be used to give more details as part of the SSLHandshakeException.

      • handshake

        private javax.net.ssl.SSLEngineResult.HandshakeStatus handshake()
                                                         throws javax.net.ssl.SSLException
        Throws:
        javax.net.ssl.SSLException

      • mayFinishHandshake

        private javax.net.ssl.SSLEngineResult.HandshakeStatus mayFinishHandshake​(javax.net.ssl.SSLEngineResult.HandshakeStatus hs,
                                                                         int bytesConsumed,
                                                                         int bytesProduced)
                                                                  throws javax.net.ssl.SSLException
        Throws:
        javax.net.ssl.SSLException

      • mayFinishHandshake

        private javax.net.ssl.SSLEngineResult.HandshakeStatus mayFinishHandshake​(javax.net.ssl.SSLEngineResult.HandshakeStatus status)
                                                                  throws javax.net.ssl.SSLException
        Throws:
        javax.net.ssl.SSLException

      • getHandshakeStatus

        public final javax.net.ssl.SSLEngineResult.HandshakeStatus getHandshakeStatus()
        Specified by:
        getHandshakeStatus in class javax.net.ssl.SSLEngine

      • getHandshakeStatus

        private javax.net.ssl.SSLEngineResult.HandshakeStatus getHandshakeStatus​(int pending)

      • needPendingStatus

        private boolean needPendingStatus()

      • toJavaCipherSuite

        private java.lang.String toJavaCipherSuite​(java.lang.String openSslCipherSuite)
        Converts the specified OpenSSL cipher suite to the Java cipher suite.

      • toJavaCipherSuitePrefix

        private static java.lang.String toJavaCipherSuitePrefix​(java.lang.String protocolVersion)
        Converts the protocol version string returned by SSL.getVersion(long) to protocol family string.

      • setUseClientMode

        public final void setUseClientMode​(boolean clientMode)
        Specified by:
        setUseClientMode in class javax.net.ssl.SSLEngine

      • getUseClientMode

        public final boolean getUseClientMode()
        Specified by:
        getUseClientMode in class javax.net.ssl.SSLEngine

      • setNeedClientAuth

        public final void setNeedClientAuth​(boolean b)
        Specified by:
        setNeedClientAuth in class javax.net.ssl.SSLEngine

      • getNeedClientAuth

        public final boolean getNeedClientAuth()
        Specified by:
        getNeedClientAuth in class javax.net.ssl.SSLEngine

      • setWantClientAuth

        public final void setWantClientAuth​(boolean b)
        Specified by:
        setWantClientAuth in class javax.net.ssl.SSLEngine

      • getWantClientAuth

        public final boolean getWantClientAuth()
        Specified by:
        getWantClientAuth in class javax.net.ssl.SSLEngine

      • setVerify

        @UnstableApi
public final void setVerify​(int verifyMode,
                            int depth)
        See SSL_set_verify and SSL.setVerify(long, int, int).

      • setClientAuth

        private void setClientAuth​(ClientAuth mode)

      • setEnableSessionCreation

        public final void setEnableSessionCreation​(boolean b)
        Specified by:
        setEnableSessionCreation in class javax.net.ssl.SSLEngine

      • getEnableSessionCreation

        public final boolean getEnableSessionCreation()
        Specified by:
        getEnableSessionCreation in class javax.net.ssl.SSLEngine

      • getSSLParameters

        public final javax.net.ssl.SSLParameters getSSLParameters()
        Overrides:
        getSSLParameters in class javax.net.ssl.SSLEngine

      • setSSLParameters

        public final void setSSLParameters​(javax.net.ssl.SSLParameters sslParameters)
        Overrides:
        setSSLParameters in class javax.net.ssl.SSLEngine

      • configureEndpointVerification

        private void configureEndpointVerification​(java.lang.String endpointIdentificationAlgorithm)

      • isEndPointVerificationEnabled

        private static boolean isEndPointVerificationEnabled​(java.lang.String endPointIdentificationAlgorithm)

      • isDestroyed

        private boolean isDestroyed()

      • checkSniHostnameMatch

        final boolean checkSniHostnameMatch​(byte[] hostname)

      • getNegotiatedApplicationProtocol

        public java.lang.String getNegotiatedApplicationProtocol()
        Description copied from interface: ApplicationProtocolAccessor
        Returns the name of the negotiated application-level protocol.
        Specified by:
        getNegotiatedApplicationProtocol in interface ApplicationProtocolAccessor
        Returns:
        the application-level protocol name or null if the negotiation failed or the client does not have ALPN/NPN extension

      • bufferAddress

        private static long bufferAddress​(java.nio.ByteBuffer b)

      • selectApplicationProtocol

        private void selectApplicationProtocol()
                                throws javax.net.ssl.SSLException
        Select the application protocol used.
        Throws:
        javax.net.ssl.SSLException

      • selectApplicationProtocol

        private java.lang.String selectApplicationProtocol​(java.util.List<java.lang.String> protocols,
                                                   ApplicationProtocolConfig.SelectedListenerFailureBehavior behavior,
                                                   java.lang.String applicationProtocol)
                                            throws javax.net.ssl.SSLException
        Throws:
        javax.net.ssl.SSLException