From 5ec1b863455963a05b76ff50c7ad056928265708 Mon Sep 17 00:00:00 2001 From: xuelei Date: Mon, 17 Mar 2008 03:11:29 -0400 Subject: [PATCH] 6447412: Issue with socket.close() for ssl sockets when poweroff on other system Summary: Support SSL sockets SOLINGER Reviewed-by: chegar --- .../classes/sun/security/ssl/Handshaker.java | 5 +- .../sun/security/ssl/OutputRecord.java | 12 ++ .../sun/security/ssl/SSLSocketImpl.java | 94 ++++++++++++-- .../SSLSocketImpl/AsyncSSLSocketClose.java | 116 ++++++++++++++++++ 4 files changed, 214 insertions(+), 13 deletions(-) create mode 100644 test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLSocketImpl/AsyncSSLSocketClose.java diff --git a/src/share/classes/sun/security/ssl/Handshaker.java b/src/share/classes/sun/security/ssl/Handshaker.java index b8395665d..5b9dae6c5 100644 --- a/src/share/classes/sun/security/ssl/Handshaker.java +++ b/src/share/classes/sun/security/ssl/Handshaker.java @@ -617,7 +617,8 @@ abstract class Handshaker { r.write(1); // single byte of data if (conn != null) { - synchronized (conn.writeLock) { + conn.writeLock.lock(); + try { conn.writeRecord(r); conn.changeWriteCiphers(); if (debug != null && Debug.isOn("handshake")) { @@ -625,6 +626,8 @@ abstract class Handshaker { } mesg.write(output); output.flush(); + } finally { + conn.writeLock.unlock(); } } else { synchronized (engine.writeLock) { diff --git a/src/share/classes/sun/security/ssl/OutputRecord.java b/src/share/classes/sun/security/ssl/OutputRecord.java index 3153b07f1..3d580e5cd 100644 --- a/src/share/classes/sun/security/ssl/OutputRecord.java +++ b/src/share/classes/sun/security/ssl/OutputRecord.java @@ -174,6 +174,18 @@ class OutputRecord extends ByteArrayOutputStream implements Record { return count == headerSize; } + /* + * Return true if the record is of a given alert. + */ + boolean isAlert(byte description) { + // An alert is defined with a two bytes struct, + // {byte level, byte description}, following after the header bytes. + if (count > (headerSize + 1) && contentType == ct_alert) { + return buf[headerSize + 1] == description; + } + + return false; + } /* * Compute the MAC and append it to this record. In case we diff --git a/src/share/classes/sun/security/ssl/SSLSocketImpl.java b/src/share/classes/sun/security/ssl/SSLSocketImpl.java index 0b8a16c09..66b6e6d11 100644 --- a/src/share/classes/sun/security/ssl/SSLSocketImpl.java +++ b/src/share/classes/sun/security/ssl/SSLSocketImpl.java @@ -1,5 +1,5 @@ /* - * Copyright 1996-2007 Sun Microsystems, Inc. All Rights Reserved. + * Copyright 1996-2008 Sun Microsystems, Inc. All Rights Reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,6 +33,8 @@ import java.security.AccessController; import java.security.AccessControlContext; import java.security.PrivilegedAction; import java.util.*; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.locks.ReentrantLock; import javax.crypto.BadPaddingException; @@ -274,7 +276,7 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl { * from the peer are handled properly. */ private Object handshakeLock; - Object writeLock; + ReentrantLock writeLock; private Object readLock; private InputRecord inrec; @@ -314,7 +316,6 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl { private HashMap handshakeListeners; - /* * Reuse the same internal input/output streams. */ @@ -526,7 +527,7 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl { enabledCipherSuites = CipherSuiteList.getDefault(); enabledProtocols = ProtocolList.getDefault(); handshakeLock = new Object(); - writeLock = new Object(); + writeLock = new ReentrantLock(); readLock = new Object(); inrec = null; @@ -677,16 +678,81 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl { // implementations are fragile and don't like to see empty // records, so this also increases robustness. // - synchronized (writeLock) { - if (!r.isEmpty()) { - // r.compress(c); - r.addMAC(writeMAC); - r.encrypt(writeCipher); - r.write(sockOutput); + if (!r.isEmpty()) { + + // If the record is a close notify alert, we need to honor + // socket option SO_LINGER. Note that we will try to send + // the close notify even if the SO_LINGER set to zero. + if (r.isAlert(Alerts.alert_close_notify) && getSoLinger() >= 0) { + + // keep and clear the current thread interruption status. + boolean interrupted = Thread.interrupted(); + try { + if (writeLock.tryLock(getSoLinger(), TimeUnit.SECONDS)) { + try { + writeRecordInternal(r); + } finally { + writeLock.unlock(); + } + } else { + SSLException ssle = new SSLException( + "SO_LINGER timeout," + + " close_notify message cannot be sent."); + + + // For layered, non-autoclose sockets, we are not + // able to bring them into a usable state, so we + // treat it as fatal error. + if (self != this && !autoClose) { + // Note that the alert description is + // specified as -1, so no message will be send + // to peer anymore. + fatal((byte)(-1), ssle); + } else if ((debug != null) && Debug.isOn("ssl")) { + System.out.println(threadName() + + ", received Exception: " + ssle); + } + + // RFC2246 requires that the session becomes + // unresumable if any connection is terminated + // without proper close_notify messages with + // level equal to warning. + // + // RFC4346 no longer requires that a session not be + // resumed if failure to properly close a connection. + // + // We choose to make the session unresumable if + // failed to send the close_notify message. + // + sess.invalidate(); + } + } catch (InterruptedException ie) { + // keep interrupted status + interrupted = true; + } + + // restore the interrupted status + if (interrupted) { + Thread.currentThread().interrupt(); + } + } else { + writeLock.lock(); + try { + writeRecordInternal(r); + } finally { + writeLock.unlock(); + } } } } + private void writeRecordInternal(OutputRecord r) throws IOException { + // r.compress(c); + r.addMAC(writeMAC); + r.encrypt(writeCipher); + r.write(sockOutput); + } + /* * Read an application data record. Alerts and handshake @@ -1533,7 +1599,11 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl { if (oldState == cs_HANDSHAKE) { sockInput.skip(sockInput.available()); } - sendAlert(Alerts.alert_fatal, description); + + // If the description equals -1, the alert won't be sent to peer. + if (description != -1) { + sendAlert(Alerts.alert_fatal, description); + } if (cause instanceof SSLException) { // only true if != null closeReason = (SSLException)cause; } else { @@ -1614,7 +1684,7 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl { * Emit alerts. Caller must have synchronized with "this". */ private void sendAlert(byte level, byte description) { - if (connectionState >= cs_CLOSED) { + if (connectionState >= cs_SENT_CLOSE) { return; } diff --git a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLSocketImpl/AsyncSSLSocketClose.java b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLSocketImpl/AsyncSSLSocketClose.java new file mode 100644 index 000000000..21fe5303a --- /dev/null +++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLSocketImpl/AsyncSSLSocketClose.java @@ -0,0 +1,116 @@ +/* + * Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, + * CA 95054 USA or visit www.sun.com if you need additional information or + * have any questions. + */ + +/* + * @test + * @bug 6447412 + * @summary Issue with socket.close() for ssl sockets when poweroff on + * other system + */ + +import javax.net.ssl.*; +import java.io.*; + +public class AsyncSSLSocketClose implements Runnable +{ + SSLSocket socket; + SSLServerSocket ss; + + // Where do we find the keystores? + static String pathToStores = "../../../../../../../etc"; + static String keyStoreFile = "keystore"; + static String trustStoreFile = "truststore"; + static String passwd = "passphrase"; + + public static void main(String[] args) { + String keyFilename = + System.getProperty("test.src", "./") + "/" + pathToStores + + "/" + keyStoreFile; + String trustFilename = + System.getProperty("test.src", "./") + "/" + pathToStores + + "/" + trustStoreFile; + + System.setProperty("javax.net.ssl.keyStore", keyFilename); + System.setProperty("javax.net.ssl.keyStorePassword", passwd); + System.setProperty("javax.net.ssl.trustStore", trustFilename); + System.setProperty("javax.net.ssl.trustStorePassword", passwd); + + new AsyncSSLSocketClose(); + } + + public AsyncSSLSocketClose() { + try { + SSLServerSocketFactory sslssf = + (SSLServerSocketFactory)SSLServerSocketFactory.getDefault(); + ss = (SSLServerSocket) sslssf.createServerSocket(0); + + SSLSocketFactory sslsf = + (SSLSocketFactory)SSLSocketFactory.getDefault(); + socket = (SSLSocket)sslsf.createSocket("localhost", + ss.getLocalPort()); + SSLSocket serverSoc = (SSLSocket) ss.accept(); + ss.close(); + + (new Thread(this)).start(); + serverSoc.startHandshake(); + + try { + Thread.sleep(5000); + } catch (Exception e) { + e.printStackTrace(); + } + + socket.setSoLinger(true, 10); + System.out.println("Calling Socket.close"); + socket.close(); + System.out.println("ssl socket get closed"); + System.out.flush(); + + } catch (IOException e) { + e.printStackTrace(); + } + + } + + // block in write + public void run() { + try { + byte[] ba = new byte[1024]; + for (int i=0; i