io.netty5.handler.ssl.OpenSslSessionContext Maven / Gradle / Ivy
The newest version!
/*
* Copyright 2014 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package io.netty5.handler.ssl;
import io.netty.internal.tcnative.SSL;
import io.netty.internal.tcnative.SSLContext;
import io.netty.internal.tcnative.SessionTicketKey;
import io.netty5.util.internal.ObjectUtil;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSessionContext;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.concurrent.locks.Lock;
import static java.util.Objects.requireNonNull;
/**
* OpenSSL specific {@link SSLSessionContext} implementation.
*/
public abstract class OpenSslSessionContext implements SSLSessionContext {
private final OpenSslSessionStats stats;
// The OpenSslKeyMaterialProvider is not really used by the OpenSslSessionContext but only be stored here
// to make it easier to destroy it later because the ReferenceCountedOpenSslContext will hold a reference
// to OpenSslSessionContext.
private final OpenSslKeyMaterialProvider provider;
final ReferenceCountedOpenSslContext context;
private final OpenSslSessionCache sessionCache;
private final long mask;
// IMPORTANT: We take the OpenSslContext and not just the long (which points the native instance) to prevent
// the GC to collect OpenSslContext as this would also free the pointer and so could result in a
// segfault when the user calls any of the methods here that try to pass the pointer down to the native
// level.
OpenSslSessionContext(ReferenceCountedOpenSslContext context, OpenSslKeyMaterialProvider provider, long mask,
OpenSslSessionCache cache) {
this.context = context;
this.provider = provider;
this.mask = mask;
stats = new OpenSslSessionStats(context);
sessionCache = cache;
SSLContext.setSSLSessionCache(context.ctx, cache);
}
final boolean useKeyManager() {
return provider != null;
}
@Override
public void setSessionCacheSize(int size) {
ObjectUtil.checkPositiveOrZero(size, "size");
sessionCache.setSessionCacheSize(size);
}
@Override
public int getSessionCacheSize() {
return sessionCache.getSessionCacheSize();
}
@Override
public void setSessionTimeout(int seconds) {
ObjectUtil.checkPositiveOrZero(seconds, "seconds");
Lock writerLock = context.ctxLock.writeLock();
writerLock.lock();
try {
SSLContext.setSessionCacheTimeout(context.ctx, seconds);
sessionCache.setSessionTimeout(seconds);
} finally {
writerLock.unlock();
}
}
@Override
public int getSessionTimeout() {
return sessionCache.getSessionTimeout();
}
@Override
public SSLSession getSession(byte[] bytes) {
return sessionCache.getSession(new OpenSslSessionId(bytes));
}
@Override
public Enumeration getIds() {
return new Enumeration<>() {
private final Iterator ids = sessionCache.getIds().iterator();
@Override
public boolean hasMoreElements() {
return ids.hasNext();
}
@Override
public byte[] nextElement() {
return ids.next().cloneBytes();
}
};
}
/**
* Sets the SSL session ticket keys of this context.
* @deprecated use {@link #setTicketKeys(OpenSslSessionTicketKey...)}.
*/
@Deprecated
public void setTicketKeys(byte[] keys) {
if (keys.length % SessionTicketKey.TICKET_KEY_SIZE != 0) {
throw new IllegalArgumentException("keys.length % " + SessionTicketKey.TICKET_KEY_SIZE + " != 0");
}
SessionTicketKey[] tickets = new SessionTicketKey[keys.length / SessionTicketKey.TICKET_KEY_SIZE];
for (int i = 0, a = 0; i < tickets.length; i++) {
byte[] name = Arrays.copyOfRange(keys, a, SessionTicketKey.NAME_SIZE);
a += SessionTicketKey.NAME_SIZE;
byte[] hmacKey = Arrays.copyOfRange(keys, a, SessionTicketKey.HMAC_KEY_SIZE);
i += SessionTicketKey.HMAC_KEY_SIZE;
byte[] aesKey = Arrays.copyOfRange(keys, a, SessionTicketKey.AES_KEY_SIZE);
a += SessionTicketKey.AES_KEY_SIZE;
tickets[i] = new SessionTicketKey(name, hmacKey, aesKey);
}
Lock writerLock = context.ctxLock.writeLock();
writerLock.lock();
try {
SSLContext.clearOptions(context.ctx, SSL.SSL_OP_NO_TICKET);
SSLContext.setSessionTicketKeys(context.ctx, tickets);
} finally {
writerLock.unlock();
}
}
/**
* Sets the SSL session ticket keys of this context. Depending on the underlying native library you may omit the
* argument or pass an empty array and so let the native library handle the key generation and rotating for you.
* If this is supported by the underlying native library should be checked in this case. For example
* BoringSSL is known to support this.
*/
public void setTicketKeys(OpenSslSessionTicketKey... keys) {
requireNonNull(keys, "keys");
SessionTicketKey[] ticketKeys = new SessionTicketKey[keys.length];
for (int i = 0; i < ticketKeys.length; i++) {
ticketKeys[i] = keys[i].key;
}
Lock writerLock = context.ctxLock.writeLock();
writerLock.lock();
try {
SSLContext.clearOptions(context.ctx, SSL.SSL_OP_NO_TICKET);
if (ticketKeys.length > 0) {
SSLContext.setSessionTicketKeys(context.ctx, ticketKeys);
}
} finally {
writerLock.unlock();
}
}
/**
* Enable or disable caching of SSL sessions.
*/
public void setSessionCacheEnabled(boolean enabled) {
long mode = enabled ? mask | SSL.SSL_SESS_CACHE_NO_INTERNAL_LOOKUP |
SSL.SSL_SESS_CACHE_NO_INTERNAL_STORE : SSL.SSL_SESS_CACHE_OFF;
Lock writerLock = context.ctxLock.writeLock();
writerLock.lock();
try {
SSLContext.setSessionCacheMode(context.ctx, mode);
if (!enabled) {
sessionCache.clear();
}
} finally {
writerLock.unlock();
}
}
/**
* Return {@code true} if caching of SSL sessions is enabled, {@code false} otherwise.
*/
public boolean isSessionCacheEnabled() {
Lock readerLock = context.ctxLock.readLock();
readerLock.lock();
try {
return (SSLContext.getSessionCacheMode(context.ctx) & mask) != 0;
} finally {
readerLock.unlock();
}
}
/**
* Returns the stats of this context.
*/
public OpenSslSessionStats stats() {
return stats;
}
/**
* Remove the given {@link OpenSslSession} from the cache, and so not re-use it for new connections.
*/
final void removeFromCache(OpenSslSessionId id) {
sessionCache.removeSessionWithId(id);
}
final boolean isInCache(OpenSslSessionId id) {
return sessionCache.containsSessionWithId(id);
}
void setSessionFromCache(String host, int port, long ssl) {
sessionCache.setSession(ssl, host, port);
}
final void destroy() {
if (provider != null) {
provider.destroy();
}
sessionCache.clear();
}
}
© 2015 - 2024 Weber Informatics LLC | Privacy Policy