1 | |
|
2 | |
|
3 | |
|
4 | |
|
5 | |
|
6 | |
|
7 | |
|
8 | |
|
9 | |
|
10 | |
|
11 | |
|
12 | |
|
13 | |
|
14 | |
|
15 | |
|
16 | |
|
17 | |
|
18 | |
|
19 | |
|
20 | |
|
21 | |
|
22 | |
|
23 | |
|
24 | |
|
25 | |
|
26 | |
|
27 | |
|
28 | |
|
29 | |
|
30 | |
|
31 | |
|
32 | |
|
33 | |
|
34 | |
|
35 | |
|
36 | |
|
37 | |
|
38 | |
|
39 | |
package com.sun.grizzly.filter; |
40 | |
|
41 | |
import com.sun.grizzly.Context; |
42 | |
import com.sun.grizzly.Controller; |
43 | |
import com.sun.grizzly.ProtocolFilter; |
44 | |
import com.sun.grizzly.SSLConfig; |
45 | |
import com.sun.grizzly.util.InputReader; |
46 | |
import com.sun.grizzly.util.SSLUtils; |
47 | |
import com.sun.grizzly.util.ThreadAttachment; |
48 | |
import com.sun.grizzly.util.ThreadAttachment.Mode; |
49 | |
import com.sun.grizzly.util.WorkerThread; |
50 | |
import java.io.EOFException; |
51 | |
import java.io.IOException; |
52 | |
import java.nio.ByteBuffer; |
53 | |
import java.nio.channels.SelectionKey; |
54 | |
import java.nio.channels.SocketChannel; |
55 | |
import java.util.ArrayList; |
56 | |
import java.util.logging.Level; |
57 | |
import javax.net.ssl.SSLContext; |
58 | |
import javax.net.ssl.SSLEngine; |
59 | |
import javax.net.ssl.SSLEngineResult.HandshakeStatus; |
60 | |
import javax.net.ssl.SSLException; |
61 | |
|
62 | |
|
63 | |
|
64 | |
|
65 | |
|
66 | |
|
67 | |
|
68 | |
public class SSLReadFilter implements ProtocolFilter{ |
69 | |
|
70 | |
|
71 | |
|
72 | |
|
73 | |
protected SSLContext sslContext; |
74 | |
|
75 | |
|
76 | |
|
77 | |
|
78 | |
|
79 | 5 | private String[] enabledCipherSuites = null; |
80 | |
|
81 | |
|
82 | |
|
83 | |
|
84 | |
|
85 | 5 | private String[] enabledProtocols = null; |
86 | |
|
87 | |
|
88 | |
|
89 | |
|
90 | |
|
91 | 5 | private boolean clientMode = false; |
92 | |
|
93 | |
|
94 | |
|
95 | |
|
96 | |
|
97 | 5 | private boolean needClientAuth = false; |
98 | |
|
99 | |
|
100 | |
|
101 | |
|
102 | |
|
103 | 5 | private boolean wantClientAuth = false; |
104 | |
|
105 | |
|
106 | |
|
107 | |
|
108 | |
|
109 | 5 | private boolean isProtocolConfigured = false; |
110 | |
|
111 | |
|
112 | |
|
113 | |
|
114 | |
|
115 | 5 | private boolean isCipherConfigured = false; |
116 | |
|
117 | |
|
118 | |
|
119 | |
|
120 | |
|
121 | 5 | protected int inputBBSize = 5 * 4096; |
122 | |
|
123 | |
|
124 | 5 | public SSLReadFilter() { |
125 | 5 | } |
126 | |
|
127 | |
|
128 | |
public boolean execute(Context ctx) throws IOException { |
129 | 53201 | boolean result = true; |
130 | 53201 | int count = 0; |
131 | 53201 | Throwable exception = null; |
132 | 53201 | SelectionKey key = ctx.getSelectionKey(); |
133 | |
WorkerThread workerThread; |
134 | |
try{ |
135 | 53201 | workerThread = (WorkerThread)Thread.currentThread(); |
136 | 0 | } catch (ClassCastException ex){ |
137 | 0 | throw new IllegalStateException(ex.getMessage()); |
138 | 53201 | } |
139 | |
|
140 | 53201 | SSLEngine sslEngine = workerThread.getSSLEngine(); |
141 | 53201 | if (sslEngine == null) { |
142 | 123 | sslEngine = newSSLEngine(key); |
143 | 123 | workerThread.setSSLEngine(sslEngine); |
144 | 123 | ThreadAttachment attachment = workerThread.updateAttachment(Mode.SSL_ENGINE); |
145 | 123 | key.attach(attachment); |
146 | |
} |
147 | |
|
148 | 53201 | boolean hasHandshake = sslEngine.getSession().isValid(); |
149 | |
try { |
150 | 53201 | SSLUtils.allocateThreadBuffers(inputBBSize); |
151 | |
|
152 | 53201 | if (hasHandshake) { |
153 | 53078 | count = doRead(key); |
154 | 123 | } else if (doHandshake(key, SSLUtils.getReadTimeout())) { |
155 | 122 | hasHandshake = true; |
156 | |
|
157 | 122 | ByteBuffer outputBB = workerThread.getOutputBB(); |
158 | 122 | outputBB.limit(outputBB.position()); |
159 | 122 | } else { |
160 | 1 | count = -1; |
161 | |
} |
162 | 0 | } catch (IOException ex) { |
163 | 0 | exception = ex; |
164 | 0 | log("SSLReadFilter.execute",ex); |
165 | 0 | } catch (Throwable ex) { |
166 | 0 | exception = ex; |
167 | 0 | log("SSLReadFilter.execute",ex); |
168 | |
} finally { |
169 | 53201 | if (exception != null || count == -1){ |
170 | 118 | ctx.setAttribute(Context.THROWABLE,exception); |
171 | 118 | ctx.setKeyRegistrationState( |
172 | |
Context.KeyRegistrationState.CANCEL); |
173 | 118 | result = false; |
174 | |
} |
175 | |
} |
176 | 53201 | return result; |
177 | |
} |
178 | |
|
179 | |
|
180 | |
|
181 | |
|
182 | |
|
183 | |
|
184 | |
|
185 | |
|
186 | |
|
187 | |
|
188 | |
public boolean postExecute(Context ctx) throws IOException { |
189 | 53201 | if (ctx.getKeyRegistrationState() |
190 | |
== Context.KeyRegistrationState.CANCEL){ |
191 | 118 | ctx.getSelectorHandler().getSelectionKeyHandler(). |
192 | |
cancel(ctx.getSelectionKey()); |
193 | 53083 | } else if (ctx.getKeyRegistrationState() |
194 | |
== Context.KeyRegistrationState.REGISTER){ |
195 | 53083 | saveSecuredBufferRemainders(ctx.getSelectionKey()); |
196 | 53083 | ctx.getSelectorHandler().register(ctx.getSelectionKey(), |
197 | |
SelectionKey.OP_READ); |
198 | 53083 | ctx.setKeyRegistrationState(Context.KeyRegistrationState.NONE); |
199 | |
} |
200 | 53201 | return true; |
201 | |
} |
202 | |
|
203 | |
|
204 | |
|
205 | |
|
206 | |
|
207 | |
|
208 | |
|
209 | |
|
210 | |
|
211 | |
private static boolean doHandshake(SelectionKey key,int timeout) throws IOException{ |
212 | 123 | final WorkerThread workerThread = |
213 | |
(WorkerThread)Thread.currentThread(); |
214 | 123 | ByteBuffer byteBuffer = workerThread.getByteBuffer(); |
215 | 123 | ByteBuffer outputBB = workerThread.getOutputBB(); |
216 | 123 | ByteBuffer inputBB = workerThread.getInputBB(); |
217 | 123 | SSLEngine sslEngine = workerThread.getSSLEngine(); |
218 | |
|
219 | 123 | HandshakeStatus handshakeStatus = HandshakeStatus.NEED_UNWRAP; |
220 | |
|
221 | 123 | boolean OK = true; |
222 | |
try{ |
223 | 123 | byteBuffer = SSLUtils.doHandshake |
224 | |
((SocketChannel) key.channel(), byteBuffer, inputBB, |
225 | |
outputBB, sslEngine, handshakeStatus, timeout); |
226 | 122 | if (doRead(key) == -1){ |
227 | 0 | throw new EOFException(); |
228 | |
} |
229 | 1 | } catch (IOException ex) { |
230 | 1 | log("doHandshake", ex); |
231 | 1 | OK = false; |
232 | 122 | } |
233 | 123 | return OK; |
234 | |
} |
235 | |
|
236 | |
|
237 | |
private static int doRead(SelectionKey key) { |
238 | 53200 | final WorkerThread workerThread = |
239 | |
(WorkerThread) Thread.currentThread(); |
240 | 53200 | ByteBuffer byteBuffer = workerThread.getByteBuffer(); |
241 | 53200 | ByteBuffer outputBB = workerThread.getOutputBB(); |
242 | 53200 | ByteBuffer inputBB = workerThread.getInputBB(); |
243 | 53200 | SSLEngine sslEngine = workerThread.getSSLEngine(); |
244 | |
|
245 | 53200 | int count = -1; |
246 | |
try { |
247 | |
|
248 | |
|
249 | 53200 | int initialBufferPosition = byteBuffer.position(); |
250 | |
|
251 | |
try { |
252 | 53200 | count = ((SocketChannel) key.channel()).read(inputBB); |
253 | 0 | } catch(IOException e) { |
254 | 0 | log("Exception during SSL read.", e); |
255 | 0 | count = -1; |
256 | 53200 | } |
257 | |
|
258 | 53200 | if (count > -1 || inputBB.position() > 0) { |
259 | |
|
260 | 53083 | if (Controller.logger().isLoggable(Level.FINE)) { |
261 | 0 | Controller.logger().log(Level.FINE, |
262 | |
"SSLReadFilter. Read: " + count + |
263 | |
" Calling unwrapAll. InputBB: " + |
264 | |
inputBB + " byteBuffer: " + byteBuffer); |
265 | |
} |
266 | |
|
267 | 53083 | int initialInputBBPosition = inputBB.position(); |
268 | 53083 | byteBuffer = |
269 | |
SSLUtils.unwrapAll(byteBuffer, inputBB, sslEngine); |
270 | 53083 | workerThread.setInputBB(inputBB); |
271 | 53083 | workerThread.setOutputBB(outputBB); |
272 | 53083 | workerThread.setByteBuffer(byteBuffer); |
273 | |
|
274 | 53083 | if (count == -1 && byteBuffer.position() != initialBufferPosition) { |
275 | 0 | return initialInputBBPosition; |
276 | |
} |
277 | |
} |
278 | 53200 | return count; |
279 | 0 | } catch (IOException ex) { |
280 | 0 | log("Exception during SSL read.", ex); |
281 | 0 | return -1; |
282 | |
} finally { |
283 | 53200 | if (count == -1) { |
284 | |
try { |
285 | 117 | sslEngine.closeInbound(); |
286 | 0 | } catch (SSLException ex) { |
287 | 53317 | } |
288 | |
} |
289 | |
} |
290 | |
} |
291 | |
|
292 | |
|
293 | |
|
294 | |
|
295 | |
|
296 | |
|
297 | |
|
298 | |
|
299 | |
|
300 | |
public static Object[] doPeerCertificateChain(SelectionKey key, |
301 | |
boolean needClientAuth) throws IOException { |
302 | |
|
303 | 0 | final WorkerThread workerThread = |
304 | |
(WorkerThread)Thread.currentThread(); |
305 | 0 | ByteBuffer byteBuffer = workerThread.getByteBuffer(); |
306 | 0 | ByteBuffer inputBB = workerThread.getInputBB(); |
307 | 0 | ByteBuffer outputBB = workerThread.getOutputBB(); |
308 | 0 | SSLEngine sslEngine = workerThread.getSSLEngine(); |
309 | |
|
310 | 0 | return SSLUtils.doPeerCertificateChain((SocketChannel) key.channel(), |
311 | |
byteBuffer, inputBB, outputBB, sslEngine, needClientAuth, |
312 | |
InputReader.getDefaultReadTimeout()); |
313 | |
} |
314 | |
|
315 | |
|
316 | |
|
317 | |
|
318 | |
|
319 | |
|
320 | |
protected SSLEngine newSSLEngine(){ |
321 | 123 | SSLEngine sslEngine = sslContext.createSSLEngine(); |
322 | 123 | if (enabledCipherSuites != null){ |
323 | 0 | if (!isCipherConfigured){ |
324 | 0 | enabledCipherSuites = configureEnabledCiphers(sslEngine, |
325 | |
enabledCipherSuites); |
326 | 0 | isCipherConfigured = true; |
327 | |
} |
328 | 0 | sslEngine.setEnabledCipherSuites(enabledCipherSuites); |
329 | |
} |
330 | |
|
331 | 123 | if (enabledProtocols != null){ |
332 | 0 | if (!isProtocolConfigured) { |
333 | 0 | enabledProtocols = configureEnabledProtocols(sslEngine, |
334 | |
enabledProtocols); |
335 | 0 | isProtocolConfigured = true; |
336 | |
} |
337 | 0 | sslEngine.setEnabledProtocols(enabledProtocols); |
338 | |
} |
339 | 123 | sslEngine.setUseClientMode(clientMode); |
340 | 123 | return sslEngine; |
341 | |
} |
342 | |
|
343 | |
|
344 | |
|
345 | |
|
346 | |
|
347 | |
|
348 | |
|
349 | |
protected SSLEngine newSSLEngine(SelectionKey key){ |
350 | 123 | SSLEngine sslEngine = null; |
351 | 123 | if (key.attachment() instanceof ThreadAttachment) { |
352 | 1 | sslEngine = ((WorkerThread) Thread.currentThread()).getSSLEngine(); |
353 | |
} |
354 | |
|
355 | 123 | if (sslEngine == null) { |
356 | 123 | sslEngine = newSSLEngine(); |
357 | |
} |
358 | |
|
359 | 123 | sslEngine.setWantClientAuth(wantClientAuth); |
360 | 123 | sslEngine.setNeedClientAuth(needClientAuth); |
361 | 123 | return sslEngine; |
362 | |
} |
363 | |
|
364 | |
|
365 | |
|
366 | |
|
367 | |
|
368 | |
|
369 | |
|
370 | |
|
371 | |
public void configure(SSLConfig sslConfig) { |
372 | 0 | sslContext = sslConfig.createSSLContext(); |
373 | 0 | wantClientAuth = sslConfig.isWantClientAuth(); |
374 | 0 | needClientAuth = sslConfig.isNeedClientAuth(); |
375 | 0 | clientMode = sslConfig.isClientMode(); |
376 | 0 | } |
377 | |
|
378 | |
|
379 | |
|
380 | |
|
381 | |
|
382 | |
public void setSSLContext(SSLContext sslContext){ |
383 | 5 | this.sslContext = sslContext; |
384 | 5 | } |
385 | |
|
386 | |
|
387 | |
|
388 | |
|
389 | |
|
390 | |
|
391 | |
public SSLContext getSSLContext(){ |
392 | 0 | return sslContext; |
393 | |
} |
394 | |
|
395 | |
|
396 | |
|
397 | |
|
398 | |
|
399 | |
|
400 | |
|
401 | |
|
402 | |
public String[] getEnabledCipherSuites() { |
403 | 0 | return enabledCipherSuites; |
404 | |
} |
405 | |
|
406 | |
|
407 | |
|
408 | |
|
409 | |
|
410 | |
|
411 | |
|
412 | |
public void setEnabledCipherSuites(String[] enabledCipherSuites) { |
413 | 0 | this.enabledCipherSuites = enabledCipherSuites; |
414 | 0 | } |
415 | |
|
416 | |
|
417 | |
|
418 | |
|
419 | |
|
420 | |
|
421 | |
|
422 | |
|
423 | |
public String[] getEnabledProtocols() { |
424 | 0 | return enabledProtocols; |
425 | |
} |
426 | |
|
427 | |
|
428 | |
|
429 | |
|
430 | |
|
431 | |
|
432 | |
|
433 | |
|
434 | |
public void setEnabledProtocols(String[] enabledProtocols) { |
435 | 0 | this.enabledProtocols = enabledProtocols; |
436 | 0 | } |
437 | |
|
438 | |
|
439 | |
|
440 | |
|
441 | |
|
442 | |
|
443 | |
|
444 | |
public boolean isClientMode() { |
445 | 0 | return clientMode; |
446 | |
} |
447 | |
|
448 | |
|
449 | |
|
450 | |
|
451 | |
|
452 | |
|
453 | |
public void setClientMode(boolean clientMode) { |
454 | 0 | this.clientMode = clientMode; |
455 | 0 | } |
456 | |
|
457 | |
|
458 | |
|
459 | |
|
460 | |
|
461 | |
|
462 | |
|
463 | |
public boolean isNeedClientAuth() { |
464 | 0 | return needClientAuth; |
465 | |
} |
466 | |
|
467 | |
|
468 | |
|
469 | |
|
470 | |
|
471 | |
|
472 | |
public void setNeedClientAuth(boolean needClientAuth) { |
473 | 0 | this.needClientAuth = needClientAuth; |
474 | 0 | } |
475 | |
|
476 | |
|
477 | |
|
478 | |
|
479 | |
|
480 | |
|
481 | |
|
482 | |
public boolean isWantClientAuth() { |
483 | 0 | return wantClientAuth; |
484 | |
} |
485 | |
|
486 | |
|
487 | |
|
488 | |
|
489 | |
|
490 | |
|
491 | |
public void setWantClientAuth(boolean wantClientAuth) { |
492 | 0 | this.wantClientAuth = wantClientAuth; |
493 | 0 | } |
494 | |
|
495 | |
|
496 | |
|
497 | |
|
498 | |
|
499 | |
|
500 | |
private final static String[] configureEnabledProtocols( |
501 | |
SSLEngine sslEngine, String[] requestedProtocols){ |
502 | |
|
503 | 0 | String[] supportedProtocols = sslEngine.getSupportedProtocols(); |
504 | 0 | String[] protocols = null; |
505 | 0 | ArrayList<String> list = null; |
506 | 0 | for(String supportedProtocol: supportedProtocols){ |
507 | |
|
508 | |
|
509 | |
|
510 | |
|
511 | 0 | for(String protocol: requestedProtocols) { |
512 | 0 | protocol = protocol.trim(); |
513 | 0 | if (supportedProtocol.equals(protocol)) { |
514 | 0 | if (list == null) { |
515 | 0 | list = new ArrayList<String>(); |
516 | |
} |
517 | 0 | list.add(protocol); |
518 | 0 | break; |
519 | |
} |
520 | |
} |
521 | |
} |
522 | |
|
523 | 0 | if (list != null) { |
524 | 0 | protocols = list.toArray(new String[list.size()]); |
525 | |
} |
526 | |
|
527 | 0 | return protocols; |
528 | |
} |
529 | |
|
530 | |
|
531 | |
|
532 | |
|
533 | |
|
534 | |
|
535 | |
|
536 | |
|
537 | |
private final static String[] configureEnabledCiphers(SSLEngine sslEngine, |
538 | |
String[] requestedCiphers) { |
539 | |
|
540 | 0 | String[] supportedCiphers = sslEngine.getSupportedCipherSuites(); |
541 | 0 | String[] ciphers = null; |
542 | 0 | ArrayList<String> list = null; |
543 | 0 | for(String supportedCipher: supportedCiphers){ |
544 | |
|
545 | |
|
546 | |
|
547 | |
|
548 | 0 | for(String cipher: requestedCiphers) { |
549 | 0 | cipher = cipher.trim(); |
550 | 0 | if (supportedCipher.equals(cipher)) { |
551 | 0 | if (list == null) { |
552 | 0 | list = new ArrayList<String>(); |
553 | |
} |
554 | 0 | list.add(cipher); |
555 | 0 | break; |
556 | |
} |
557 | |
} |
558 | |
} |
559 | |
|
560 | 0 | if (list != null) { |
561 | 0 | ciphers = list.toArray(new String[list.size()]); |
562 | |
} |
563 | |
|
564 | 0 | return ciphers; |
565 | |
} |
566 | |
|
567 | |
private void saveSecuredBufferRemainders(SelectionKey selectionKey) { |
568 | 53083 | ThreadAttachment attachment = |
569 | |
(ThreadAttachment) selectionKey.attachment(); |
570 | |
|
571 | 53083 | WorkerThread workerThread = (WorkerThread) Thread.currentThread(); |
572 | |
|
573 | 53083 | if (attachment == null || workerThread.getAttachment() != attachment) { |
574 | 0 | Controller.logger().log(Level.FINE, |
575 | |
"SelectionKey ThreadAttachment is NULL or doesn't " + |
576 | |
"correspond to the current thread, when saving buffers"); |
577 | 0 | return; |
578 | |
} |
579 | |
|
580 | 53083 | ByteBuffer inputBB = workerThread.getInputBB(); |
581 | 53083 | if (inputBB != null && inputBB.hasRemaining()) { |
582 | 53083 | workerThread.updateAttachment(attachment.getMode() | Mode.INPUT_BB); |
583 | |
} else { |
584 | 0 | workerThread.updateAttachment(attachment.getMode() & |
585 | |
(Integer.MAX_VALUE ^ Mode.INPUT_BB)); |
586 | |
} |
587 | |
|
588 | 53083 | ByteBuffer outputBB = workerThread.getOutputBB(); |
589 | 53083 | if (outputBB != null && outputBB.hasRemaining()) { |
590 | 101 | workerThread.updateAttachment(attachment.getMode() | Mode.OUTPUT_BB); |
591 | |
} else { |
592 | 52982 | workerThread.updateAttachment(attachment.getMode() & |
593 | |
(Integer.MAX_VALUE ^ Mode.OUTPUT_BB)); |
594 | |
} |
595 | 53083 | } |
596 | |
|
597 | |
|
598 | |
|
599 | |
|
600 | |
|
601 | |
|
602 | |
protected static void log(String msg, Throwable t) { |
603 | 1 | if (Controller.logger().isLoggable(Level.FINE)) { |
604 | 0 | Controller.logger().log(Level.FINE, msg, t); |
605 | |
} |
606 | 1 | } |
607 | |
} |