IceSSL.TransceiverI Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of ice Show documentation
Show all versions of ice Show documentation
Ice is a comprehensive RPC framework that helps you build distributed applications with minimal effort using familiar object-oriented idioms
// **********************************************************************
//
// Copyright (c) 2003-2017 ZeroC, Inc. All rights reserved.
//
// This copy of Ice is licensed to you under the terms described in the
// ICE_LICENSE file included in this distribution.
//
// **********************************************************************
package IceSSL;
import java.nio.*;
import javax.net.ssl.*;
import javax.net.ssl.SSLEngineResult.*;
final class TransceiverI implements IceInternal.Transceiver, IceInternal.WSTransceiverDelegate
{
@Override
public java.nio.channels.SelectableChannel fd()
{
return _stream.fd();
}
@Override
public int initialize(IceInternal.Buffer readBuffer, IceInternal.Buffer writeBuffer, Ice.Holder moreData)
{
int status = _stream.connect(readBuffer, writeBuffer);
if(status != IceInternal.SocketOperation.None)
{
return status;
}
status = handshakeNonBlocking();
if(status != IceInternal.SocketOperation.None)
{
return status;
}
//
// Additional verification.
//
_instance.verifyPeer((NativeConnectionInfo)getInfo(), _stream.fd(), _host);
if(_instance.securityTraceLevel() >= 1)
{
_instance.traceConnection(_stream.fd(), _engine, _incoming);
}
return IceInternal.SocketOperation.None;
}
@Override
public int closing(boolean initiator, Ice.LocalException ex)
{
// If we are initiating the connection closure, wait for the peer
// to close the TCP/IP connection. Otherwise, close immediately.
return initiator ? IceInternal.SocketOperation.Read : IceInternal.SocketOperation.None;
}
@Override
public void close()
{
if(_stream.isConnected())
{
try
{
//
// Send the close_notify message.
//
_engine.closeOutbound();
_netOutput.clear();
while(!_engine.isOutboundDone())
{
_engine.wrap(_emptyBuffer, _netOutput);
try
{
//
// Note: we can't block to send the close_notify message. In some cases, the
// close_notify message might therefore not be received by the peer. This is
// not a big issue since the Ice protocol isn't subject to truncation attacks.
//
flushNonBlocking();
}
catch(Ice.LocalException ex)
{
// Ignore.
}
}
}
catch(SSLException ex)
{
//
// We can't throw in close.
//
// Ice.SecurityException se = new Ice.SecurityException(
// "IceSSL: SSL failure while shutting down socket", ex);
//
}
try
{
_engine.closeInbound();
}
catch(SSLException ex)
{
//
// SSLEngine always raises an exception with this message:
//
// Inbound closed before receiving peer's close_notify: possible truncation attack?
//
// We would probably need to wait for a response in shutdown() to avoid this.
// For now, we'll ignore this exception.
//
//_instance.logger().error("IceSSL: error during close\n" + ex.getMessage());
}
}
_stream.close();
}
@Override
public IceInternal.EndpointI bind()
{
assert(false);
return null;
}
@Override
public int write(IceInternal.Buffer buf)
{
if(!_stream.isConnected())
{
return _stream.write(buf);
}
int status = writeNonBlocking(buf.b);
assert(status == IceInternal.SocketOperation.None || status == IceInternal.SocketOperation.Write);
return status;
}
@Override
public int read(IceInternal.Buffer buf, Ice.Holder moreData)
{
moreData.value = false;
if(!_stream.isConnected())
{
return _stream.read(buf);
}
//
// Try to satisfy the request from data we've already decrypted.
//
fill(buf.b);
//
// Read and decrypt more data if necessary. Note that we might read
// more data from the socket than is actually necessary to fill the
// caller's stream.
//
try
{
while(buf.b.hasRemaining())
{
_netInput.flip();
SSLEngineResult result = _engine.unwrap(_netInput, _appInput);
_netInput.compact();
Status status = result.getStatus();
assert status != Status.BUFFER_OVERFLOW;
if(status == Status.CLOSED)
{
throw new Ice.ConnectionLostException();
}
// Android API 21 SSLEngine doesn't report underflow, so look at the absence of
// network data and application data to signal a network read.
else if(status == Status.BUFFER_UNDERFLOW || (_appInput.position() == 0 && _netInput.position() == 0))
{
if(_stream.read(_netInput) == 0)
{
return IceInternal.SocketOperation.Read;
}
continue;
}
fill(buf.b);
}
// If there is no more application data, do one further unwrap to ensure
// that the SSLEngine has no buffered data (Android R21 and greater only).
if(_appInput.position() == 0)
{
_netInput.flip();
_engine.unwrap(_netInput, _appInput);
_netInput.compact();
// Don't check the status here since we may have already filled
// the buffer with a complete request which must be processed.
}
}
catch(SSLException ex)
{
throw new Ice.SecurityException("IceSSL: error during read", ex);
}
//
// Return a boolean to indicate whether more data is available.
//
moreData.value = _netInput.position() > 0 || _appInput.position() > 0;
return IceInternal.SocketOperation.None;
}
@Override
public String protocol()
{
return _instance.protocol();
}
@Override
public String toString()
{
return _stream.toString();
}
@Override
public String toDetailedString()
{
return toString();
}
@Override
public Ice.ConnectionInfo getInfo()
{
NativeConnectionInfo info = new NativeConnectionInfo();
info.nativeCerts = fillConnectionInfo(info);
return info;
}
@Override
public Ice.ConnectionInfo getWSInfo(java.util.Map headers)
{
WSSNativeConnectionInfo info = new WSSNativeConnectionInfo();
info.nativeCerts = fillConnectionInfo(info);
info.headers = headers; // Provided header is a copy so no need to clone here.
return info;
}
@Override
public void setBufferSize(int rcvSize, int sndSize)
{
_stream.setBufferSize(rcvSize, sndSize);
}
@Override
public void checkSendSize(IceInternal.Buffer buf)
{
}
TransceiverI(Instance instance, javax.net.ssl.SSLEngine engine, IceInternal.StreamSocket stream, String hostOrAdapterName,
boolean incoming)
{
_instance = instance;
_engine = engine;
_appInput = ByteBuffer.allocateDirect(engine.getSession().getApplicationBufferSize() * 2);
_netInput = ByteBuffer.allocateDirect(engine.getSession().getPacketBufferSize() * 2);
_netOutput = ByteBuffer.allocateDirect(engine.getSession().getPacketBufferSize() * 2);
_stream = stream;
_incoming = incoming;
if(_incoming)
{
_adapterName = hostOrAdapterName;
}
else
{
_host = hostOrAdapterName;
}
}
private java.security.cert.Certificate[] fillConnectionInfo(ConnectionInfo info)
{
//
// This can only be called on an open transceiver.
//
java.security.cert.Certificate[] nativeCerts = null;
if(_stream.fd() != null)
{
java.net.Socket socket = _stream.fd().socket();
//
// On some platforms (e.g., early Android releases), sockets don't
// correctly return address information.
//
if(socket.getLocalAddress() != null)
{
info.localAddress = socket.getLocalAddress().getHostAddress();
info.localPort = socket.getLocalPort();
}
if(socket.getInetAddress() != null)
{
info.remoteAddress = socket.getInetAddress().getHostAddress();
info.remotePort = socket.getPort();
}
if(!socket.isClosed())
{
info.rcvSize = IceInternal.Network.getRecvBufferSize(_stream.fd());
info.sndSize = IceInternal.Network.getSendBufferSize(_stream.fd());
}
SSLSession session = _engine.getSession();
info.cipher = session.getCipherSuite();
try
{
java.security.cert.Certificate[] pcerts = session.getPeerCertificates();
java.security.cert.Certificate[] vcerts = _instance.engine().getVerifiedCertificateChain(pcerts);
info.verified = vcerts != null;
nativeCerts = vcerts != null ? vcerts : pcerts;
java.util.ArrayList certs = new java.util.ArrayList();
for(java.security.cert.Certificate c : nativeCerts)
{
StringBuilder s = new StringBuilder("-----BEGIN CERTIFICATE-----\n");
s.append(IceUtilInternal.Base64.encode(c.getEncoded()));
s.append("\n-----END CERTIFICATE-----");
certs.add(s.toString());
}
info.certs = certs.toArray(new String[certs.size()]);
}
catch(javax.net.ssl.SSLPeerUnverifiedException ex)
{
// No peer certificates.
}
catch(java.security.cert.CertificateEncodingException ex)
{
}
}
info.adapterName = _adapterName;
info.incoming = _incoming;
return nativeCerts;
}
private int handshakeNonBlocking()
{
try
{
HandshakeStatus status = _engine.getHandshakeStatus();
while(!_engine.isOutboundDone() && !_engine.isInboundDone())
{
SSLEngineResult result = null;
switch(status)
{
case FINISHED:
case NOT_HANDSHAKING:
{
return IceInternal.SocketOperation.None;
}
case NEED_TASK:
{
Runnable task;
while((task = _engine.getDelegatedTask()) != null)
{
task.run();
}
status = _engine.getHandshakeStatus();
break;
}
case NEED_UNWRAP:
{
if(_netInput.position() == 0 && _stream.read(_netInput) == 0)
{
return IceInternal.SocketOperation.Read;
}
//
// The engine needs more data. We might already have enough data in
// the _netInput buffer to satisfy the engine. If not, the engine
// responds with BUFFER_UNDERFLOW and we'll read from the socket.
//
_netInput.flip();
result = _engine.unwrap(_netInput, _appInput);
_netInput.compact();
//
// FINISHED is only returned from wrap or unwrap, not from engine.getHandshakeResult().
//
status = result.getHandshakeStatus();
switch(result.getStatus())
{
case BUFFER_OVERFLOW:
{
assert(false);
break;
}
case BUFFER_UNDERFLOW:
{
assert(status == javax.net.ssl.SSLEngineResult.HandshakeStatus.NEED_UNWRAP);
if(_stream.read(_netInput) == 0)
{
return IceInternal.SocketOperation.Read;
}
break;
}
case CLOSED:
{
throw new Ice.ConnectionLostException();
}
case OK:
{
break;
}
}
break;
}
case NEED_WRAP:
{
//
// The engine needs to send a message.
//
result = _engine.wrap(_emptyBuffer, _netOutput);
if(result.bytesProduced() > 0 && !flushNonBlocking())
{
return IceInternal.SocketOperation.Write;
}
//
// FINISHED is only returned from wrap or unwrap, not from engine.getHandshakeResult().
//
status = result.getHandshakeStatus();
break;
}
}
if(result != null)
{
switch(result.getStatus())
{
case BUFFER_OVERFLOW:
assert(false);
break;
case BUFFER_UNDERFLOW:
// Need to read again.
assert(status == HandshakeStatus.NEED_UNWRAP);
break;
case CLOSED:
throw new Ice.ConnectionLostException();
case OK:
break;
}
}
}
}
catch(SSLException ex)
{
throw new Ice.SecurityException("IceSSL: handshake error", ex);
}
return IceInternal.SocketOperation.None;
}
private int writeNonBlocking(ByteBuffer buf)
{
//
// This method has two purposes: encrypt the application's message buffer into our
// _netOutput buffer, and write the contents of _netOutput to the socket without
// blocking.
//
try
{
while(buf.hasRemaining() || _netOutput.position() > 0)
{
if(buf.hasRemaining())
{
//
// Encrypt the buffer.
//
SSLEngineResult result = _engine.wrap(buf, _netOutput);
switch(result.getStatus())
{
case BUFFER_OVERFLOW:
//
// Need to make room in _netOutput.
//
break;
case BUFFER_UNDERFLOW:
assert(false);
break;
case CLOSED:
throw new Ice.ConnectionLostException();
case OK:
break;
}
}
//
// Write the encrypted data to the socket. We continue writing until we've written
// all of _netOutput, or until flushNonBlocking indicates that it cannot write
// (i.e., by returning SocketOperation.Write).
//
if(_netOutput.position() > 0 && !flushNonBlocking())
{
return IceInternal.SocketOperation.Write;
}
}
}
catch(SSLException ex)
{
throw new Ice.SecurityException("IceSSL: error while encoding message", ex);
}
assert(_netOutput.position() == 0);
return IceInternal.SocketOperation.None;
}
private boolean flushNonBlocking()
{
_netOutput.flip();
try
{
_stream.write(_netOutput);
}
catch(Ice.SocketException ex)
{
throw new Ice.ConnectionLostException(ex);
}
if(_netOutput.hasRemaining())
{
_netOutput.compact();
return false;
}
else
{
_netOutput.clear();
return true;
}
}
private void fill(ByteBuffer buf)
{
_appInput.flip();
if(_appInput.hasRemaining())
{
int bytesAvailable = _appInput.remaining();
int bytesNeeded = buf.remaining();
if(bytesAvailable > bytesNeeded)
{
bytesAvailable = bytesNeeded;
}
if(buf.hasArray())
{
//
// Copy directly into the destination buffer's backing array.
//
byte[] arr = buf.array();
_appInput.get(arr, buf.arrayOffset() + buf.position(), bytesAvailable);
buf.position(buf.position() + bytesAvailable);
}
else if(_appInput.hasArray())
{
//
// Copy directly from the source buffer's backing array.
//
byte[] arr = _appInput.array();
buf.put(arr, _appInput.arrayOffset() + _appInput.position(), bytesAvailable);
_appInput.position(_appInput.position() + bytesAvailable);
}
else
{
//
// Copy using a temporary array.
//
byte[] arr = new byte[bytesAvailable];
_appInput.get(arr);
buf.put(arr);
}
}
_appInput.compact();
}
private Instance _instance;
private IceInternal.StreamSocket _stream;
private javax.net.ssl.SSLEngine _engine;
private String _host = "";
private String _adapterName = "";
private boolean _incoming;
private ByteBuffer _appInput; // Holds clear-text data to be read by the application.
private ByteBuffer _netInput; // Holds encrypted data read from the socket.
private ByteBuffer _netOutput; // Holds encrypted data to be written to the socket.
private static ByteBuffer _emptyBuffer = ByteBuffer.allocate(0); // Used during handshaking.
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy