< prev index next >

src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java

Print this page




  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 package sun.security.ssl;
  26 
  27 import java.math.BigInteger;
  28 import java.net.InetAddress;
  29 import java.security.Principal;
  30 import java.security.PrivateKey;
  31 import java.security.cert.CertificateEncodingException;
  32 import java.security.cert.X509Certificate;
  33 import java.util.ArrayList;
  34 import java.util.Queue;
  35 import java.util.Collection;
  36 import java.util.Collections;
  37 import java.util.Enumeration;
  38 import java.util.List;
  39 import java.util.concurrent.ConcurrentHashMap;
  40 import java.util.concurrent.ConcurrentLinkedQueue;
  41 import java.util.concurrent.locks.ReentrantLock;
  42 import javax.crypto.SecretKey;
  43 import javax.net.ssl.ExtendedSSLSession;
  44 import javax.net.ssl.SNIServerName;
  45 import javax.net.ssl.SSLPeerUnverifiedException;
  46 import javax.net.ssl.SSLPermission;
  47 import javax.net.ssl.SSLSessionBindingEvent;
  48 import javax.net.ssl.SSLSessionBindingListener;
  49 import javax.net.ssl.SSLSessionContext;
  50 
  51 /**
  52  * Implements the SSL session interface, and exposes the session context
  53  * which is maintained by SSL servers.
  54  *
  55  * <P> Servers have the ability to manage the sessions associated with
  56  * their authentication context(s).  They can do this by enumerating the
  57  * IDs of the sessions which are cached, examining those sessions, and then
  58  * perhaps invalidating a given session so that it can't be used again.
  59  * If servers do not explicitly manage the cache, sessions will linger
  60  * until memory is low enough that the runtime environment purges cache
  61  * entries automatically to reclaim space.


 117      * abbreviated initial handshake?
 118      *
 119      * Note that currently we only set this variable in client side.
 120      */
 121     private boolean isSessionResumption = false;
 122 
 123     /*
 124      * Use of session caches is globally enabled/disabled.
 125      */
 126     private static boolean      defaultRejoinable = true;
 127 
 128     // server name indication
 129     final SNIServerName         serverNameIndication;
 130     private final List<SNIServerName>    requestedServerNames;
 131 
 132     // Counter used to create unique nonces in NewSessionTicket
 133     private BigInteger ticketNonceCounter = BigInteger.ONE;
 134 
 135     // The endpoint identification algorithm used to check certificates
 136     // in this session.
 137     private final String        identificationProtocol;
 138 
 139     private final ReentrantLock sessionLock = new ReentrantLock();
 140 
 141     /*
 142      * Create a new non-rejoinable session, using the default (null)
 143      * cipher spec.  This constructor returns a session which could
 144      * be used either by a client or by a server, as a connection is
 145      * first opened and before handshaking begins.
 146      */
 147     private SSLSessionImpl() {
 148         this.protocolVersion = ProtocolVersion.NONE;
 149         this.cipherSuite = CipherSuite.C_NULL;
 150         this.sessionId = new SessionId(false, null);
 151         this.host = null;
 152         this.port = -1;
 153         this.localSupportedSignAlgs = Collections.emptySet();
 154         this.serverNameIndication = null;
 155         this.requestedServerNames = Collections.<SNIServerName>emptyList();
 156         this.useExtendedMasterSecret = false;
 157         this.creationTime = System.currentTimeMillis();
 158         this.identificationProtocol = null;
 159         this.boundValues = new ConcurrentHashMap<>();


 275         this.pskIdentity = pskIdentity;
 276     }
 277 
 278     BigInteger incrTicketNonceCounter() {
 279         BigInteger result = ticketNonceCounter;
 280         ticketNonceCounter = ticketNonceCounter.add(BigInteger.valueOf(1));
 281         return result;
 282     }
 283 
 284     /**
 285      * Returns the master secret ... treat with extreme caution!
 286      */
 287     SecretKey getMasterSecret() {
 288         return masterSecret;
 289     }
 290 
 291     SecretKey getResumptionMasterSecret() {
 292         return resumptionMasterSecret;
 293     }
 294 
 295     SecretKey getPreSharedKey() {
 296         sessionLock.lock();
 297         try {
 298             return preSharedKey;
 299         } finally {
 300             sessionLock.unlock();
 301         }
 302     }
 303 
 304     SecretKey consumePreSharedKey() {
 305         sessionLock.lock();
 306         try {
 307             return preSharedKey;
 308         } finally {
 309             preSharedKey = null;
 310             sessionLock.unlock();
 311         }
 312     }
 313 
 314     int getTicketAgeAdd() {
 315         return ticketAgeAdd;
 316     }
 317 
 318     String getIdentificationProtocol() {
 319         return this.identificationProtocol;
 320     }
 321 
 322     /* PSK identities created from new_session_ticket messages should only
 323      * be used once. This method will return the identity and then clear it
 324      * so it cannot be used again.
 325      */
 326     byte[] consumePskIdentity() {
 327         sessionLock.lock();
 328         try {
 329             return pskIdentity;
 330         } finally {
 331             pskIdentity = null;
 332             sessionLock.unlock();
 333         }
 334     }
 335 
 336     void setPeerCertificates(X509Certificate[] peer) {
 337         if (peerCerts == null) {
 338             peerCerts = peer;
 339         }
 340     }
 341 
 342     void setLocalCertificates(X509Certificate[] local) {
 343         localCerts = local;
 344     }
 345 
 346     void setLocalPrivateKey(PrivateKey privateKey) {
 347         localPrivateKey = privateKey;
 348     }
 349 
 350     void setPeerSupportedSignatureAlgorithms(
 351             Collection<SignatureScheme> signatureSchemes) {
 352         peerSupportedSignAlgs =


 388         if (responses != null && !responses.isEmpty()) {
 389             statusResponses = responses;
 390         } else {
 391             statusResponses = Collections.emptyList();
 392         }
 393     }
 394 
 395     /**
 396      * Returns true iff this session may be resumed ... sessions are
 397      * usually resumable.  Security policies may suggest otherwise,
 398      * for example sessions that haven't been used for a while (say,
 399      * a working day) won't be resumable, and sessions might have a
 400      * maximum lifetime in any case.
 401      */
 402     boolean isRejoinable() {
 403         return sessionId != null && sessionId.length() != 0 &&
 404             !invalidated && isLocalAuthenticationValid();
 405     }
 406 
 407     @Override
 408     public boolean isValid() {
 409         sessionLock.lock();
 410         try {
 411             return isRejoinable();
 412         } finally {
 413             sessionLock.unlock();
 414         }
 415     }
 416 
 417     /**
 418      * Check if the authentication used when establishing this session
 419      * is still valid. Returns true if no authentication was used
 420      */
 421     private boolean isLocalAuthenticationValid() {
 422         if (localPrivateKey != null) {
 423             try {
 424                 // if the private key is no longer valid, getAlgorithm()
 425                 // should throw an exception
 426                 // (e.g. Smartcard has been removed from the reader)
 427                 localPrivateKey.getAlgorithm();
 428             } catch (Exception e) {
 429                 invalidate();
 430                 return false;
 431             }
 432         }
 433 
 434         return true;


 777     /**
 778      * Need to provide the port info for caching sessions based on
 779      * host and port. Accessed by SSLSessionContextImpl
 780      */
 781     @Override
 782     public int getPeerPort() {
 783         return port;
 784     }
 785 
 786     void setContext(SSLSessionContextImpl ctx) {
 787         if (context == null) {
 788             context = ctx;
 789         }
 790     }
 791 
 792     /**
 793      * Invalidate a session.  Active connections may still exist, but
 794      * no connections will be able to rejoin this session.
 795      */
 796     @Override
 797     public void invalidate() {
 798         sessionLock.lock();
 799         try {
 800             //
 801             // Can't invalidate the NULL session -- this would be
 802             // attempted when we get a handshaking error on a brand
 803             // new connection, with no "real" session yet.
 804             //
 805             if (this == nullSession) {
 806                 return;
 807             }
 808 
 809             if (context != null) {
 810                 context.remove(sessionId);
 811                 context = null;
 812             }
 813 
 814             if (invalidated) {
 815                 return;
 816             }
 817             invalidated = true;
 818             if (SSLLogger.isOn && SSLLogger.isOn("session")) {
 819                  SSLLogger.finest("Invalidated session:  " + this);
 820             }
 821             for (SSLSessionImpl child : childSessions) {
 822                 child.invalidate();
 823             }
 824         } finally {
 825             sessionLock.unlock();

 826         }
 827     }
 828 
 829     /*
 830      * Table of application-specific session data indexed by an application
 831      * key and the calling security context. This is important since
 832      * sessions can be shared across different protection domains.
 833      */
 834     private final ConcurrentHashMap<SecureKey, Object> boundValues;
 835 
 836     /**
 837      * Assigns a session value.  Session change events are given if
 838      * appropriate, to any original value as well as the new value.
 839      */
 840     @Override
 841     public void putValue(String key, Object value) {
 842         if ((key == null) || (value == null)) {
 843             throw new IllegalArgumentException("arguments can not be null");
 844         }
 845 


 918      * Use large packet sizes now or follow RFC 2246 packet sizes (2^14)
 919      * until changed.
 920      *
 921      * In the TLS specification (section 6.2.1, RFC2246), it is not
 922      * recommended that the plaintext has more than 2^14 bytes.
 923      * However, some TLS implementations violate the specification.
 924      * This is a workaround for interoperability with these stacks.
 925      *
 926      * Application could accept large fragments up to 2^15 bytes by
 927      * setting the system property jsse.SSLEngine.acceptLargeFragments
 928      * to "true".
 929      */
 930     private boolean acceptLargeFragments =
 931             Utilities.getBooleanProperty(
 932                     "jsse.SSLEngine.acceptLargeFragments", false);
 933 
 934     /**
 935      * Expand the buffer size of both SSL/TLS network packet and
 936      * application data.
 937      */
 938     protected void expandBufferSizes() {
 939         sessionLock.lock();
 940         try {
 941             acceptLargeFragments = true;
 942         } finally {
 943             sessionLock.unlock();
 944         }
 945     }
 946 
 947     /**
 948      * Gets the current size of the largest SSL/TLS packet that is expected
 949      * when using this session.
 950      */
 951     @Override
 952     public int getPacketBufferSize() {
 953         sessionLock.lock();
 954         try {
 955             // Use the bigger packet size calculated from maximumPacketSize
 956             // and negotiatedMaxFragLen.
 957             int packetSize = 0;
 958             if (negotiatedMaxFragLen > 0) {
 959                 packetSize = cipherSuite.calculatePacketSize(
 960                         negotiatedMaxFragLen, protocolVersion,
 961                         protocolVersion.isDTLS);
 962             }
 963 
 964             if (maximumPacketSize > 0) {
 965                 return (maximumPacketSize > packetSize) ?
 966                         maximumPacketSize : packetSize;
 967             }
 968 
 969             if (packetSize != 0) {
 970                return packetSize;
 971             }
 972 
 973             if (protocolVersion.isDTLS) {
 974                 return DTLSRecord.maxRecordSize;
 975             } else {
 976                 return acceptLargeFragments ?
 977                         SSLRecord.maxLargeRecordSize : SSLRecord.maxRecordSize;
 978             }
 979         } finally {
 980             sessionLock.unlock();
 981         }
 982     }
 983 
 984     /**
 985      * Gets the current size of the largest application data that is
 986      * expected when using this session.
 987      */
 988     @Override
 989     public int getApplicationBufferSize() {
 990         sessionLock.lock();
 991         try {
 992             // Use the bigger fragment size calculated from maximumPacketSize
 993             // and negotiatedMaxFragLen.
 994             int fragmentSize = 0;
 995             if (maximumPacketSize > 0) {
 996                 fragmentSize = cipherSuite.calculateFragSize(
 997                         maximumPacketSize, protocolVersion,
 998                         protocolVersion.isDTLS);
 999             }
1000 
1001             if (negotiatedMaxFragLen > 0) {
1002                 return (negotiatedMaxFragLen > fragmentSize) ?
1003                         negotiatedMaxFragLen : fragmentSize;
1004             }
1005 
1006             if (fragmentSize != 0) {
1007                 return fragmentSize;
1008             }
1009 
1010             if (protocolVersion.isDTLS) {
1011                 return Record.maxDataSize;
1012             } else {
1013                 int maxPacketSize = acceptLargeFragments ?
1014                             SSLRecord.maxLargeRecordSize : SSLRecord.maxRecordSize;
1015                 return (maxPacketSize - SSLRecord.headerSize);
1016             }
1017         } finally {
1018             sessionLock.unlock();
1019         }
1020     }
1021 
1022     /**
1023      * Sets the negotiated maximum fragment length, as specified by the
1024      * max_fragment_length ClientHello extension in RFC 6066.
1025      *
1026      * @param  negotiatedMaxFragLen
1027      *         the negotiated maximum fragment length, or {@code -1} if
1028      *         no such length has been negotiated.
1029      */
1030     void setNegotiatedMaxFragSize(
1031             int negotiatedMaxFragLen) {
1032         sessionLock.lock();
1033         try {
1034             this.negotiatedMaxFragLen = negotiatedMaxFragLen;
1035         } finally {
1036             sessionLock.unlock();
1037         }
1038     }
1039 
1040     /**
1041      * Get the negotiated maximum fragment length, as specified by the
1042      * max_fragment_length ClientHello extension in RFC 6066.
1043      *
1044      * @return the negotiated maximum fragment length, or {@code -1} if
1045      *         no such length has been negotiated.
1046      */
1047     int getNegotiatedMaxFragSize() {
1048         sessionLock.lock();
1049         try {
1050             return negotiatedMaxFragLen;
1051         } finally {
1052             sessionLock.unlock();
1053         }
1054     }
1055 
1056     void setMaximumPacketSize(int maximumPacketSize) {
1057         sessionLock.lock();
1058         try {
1059             this.maximumPacketSize = maximumPacketSize;
1060         } finally {
1061             sessionLock.unlock();
1062         }
1063     }
1064 
1065     int getMaximumPacketSize() {
1066         sessionLock.lock();
1067         try {
1068             return maximumPacketSize;
1069         } finally {
1070             sessionLock.unlock();
1071         }
1072     }
1073 
1074     /**
1075      * Gets an array of supported signature algorithm names that the local
1076      * side is willing to verify.
1077      */
1078     @Override
1079     public String[] getLocalSupportedSignatureAlgorithms() {
1080         return SignatureScheme.getAlgorithmNames(localSupportedSignAlgs);
1081     }
1082 
1083     /**
1084      * Gets an array of supported signature schemes that the local side is
1085      * willing to verify.
1086      */
1087     public Collection<SignatureScheme> getLocalSupportedSignatureSchemes() {
1088         return localSupportedSignAlgs;
1089     }
1090 
1091     /**




  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 package sun.security.ssl;
  26 
  27 import java.math.BigInteger;
  28 import java.net.InetAddress;
  29 import java.security.Principal;
  30 import java.security.PrivateKey;
  31 import java.security.cert.CertificateEncodingException;
  32 import java.security.cert.X509Certificate;
  33 import java.util.ArrayList;
  34 import java.util.Queue;
  35 import java.util.Collection;
  36 import java.util.Collections;
  37 import java.util.Enumeration;
  38 import java.util.List;
  39 import java.util.concurrent.ConcurrentHashMap;
  40 import java.util.concurrent.ConcurrentLinkedQueue;

  41 import javax.crypto.SecretKey;
  42 import javax.net.ssl.ExtendedSSLSession;
  43 import javax.net.ssl.SNIServerName;
  44 import javax.net.ssl.SSLPeerUnverifiedException;
  45 import javax.net.ssl.SSLPermission;
  46 import javax.net.ssl.SSLSessionBindingEvent;
  47 import javax.net.ssl.SSLSessionBindingListener;
  48 import javax.net.ssl.SSLSessionContext;
  49 
  50 /**
  51  * Implements the SSL session interface, and exposes the session context
  52  * which is maintained by SSL servers.
  53  *
  54  * <P> Servers have the ability to manage the sessions associated with
  55  * their authentication context(s).  They can do this by enumerating the
  56  * IDs of the sessions which are cached, examining those sessions, and then
  57  * perhaps invalidating a given session so that it can't be used again.
  58  * If servers do not explicitly manage the cache, sessions will linger
  59  * until memory is low enough that the runtime environment purges cache
  60  * entries automatically to reclaim space.


 116      * abbreviated initial handshake?
 117      *
 118      * Note that currently we only set this variable in client side.
 119      */
 120     private boolean isSessionResumption = false;
 121 
 122     /*
 123      * Use of session caches is globally enabled/disabled.
 124      */
 125     private static boolean      defaultRejoinable = true;
 126 
 127     // server name indication
 128     final SNIServerName         serverNameIndication;
 129     private final List<SNIServerName>    requestedServerNames;
 130 
 131     // Counter used to create unique nonces in NewSessionTicket
 132     private BigInteger ticketNonceCounter = BigInteger.ONE;
 133 
 134     // The endpoint identification algorithm used to check certificates
 135     // in this session.
 136     private final String              identificationProtocol;


 137 
 138     /*
 139      * Create a new non-rejoinable session, using the default (null)
 140      * cipher spec.  This constructor returns a session which could
 141      * be used either by a client or by a server, as a connection is
 142      * first opened and before handshaking begins.
 143      */
 144     private SSLSessionImpl() {
 145         this.protocolVersion = ProtocolVersion.NONE;
 146         this.cipherSuite = CipherSuite.C_NULL;
 147         this.sessionId = new SessionId(false, null);
 148         this.host = null;
 149         this.port = -1;
 150         this.localSupportedSignAlgs = Collections.emptySet();
 151         this.serverNameIndication = null;
 152         this.requestedServerNames = Collections.<SNIServerName>emptyList();
 153         this.useExtendedMasterSecret = false;
 154         this.creationTime = System.currentTimeMillis();
 155         this.identificationProtocol = null;
 156         this.boundValues = new ConcurrentHashMap<>();


 272         this.pskIdentity = pskIdentity;
 273     }
 274 
 275     BigInteger incrTicketNonceCounter() {
 276         BigInteger result = ticketNonceCounter;
 277         ticketNonceCounter = ticketNonceCounter.add(BigInteger.valueOf(1));
 278         return result;
 279     }
 280 
 281     /**
 282      * Returns the master secret ... treat with extreme caution!
 283      */
 284     SecretKey getMasterSecret() {
 285         return masterSecret;
 286     }
 287 
 288     SecretKey getResumptionMasterSecret() {
 289         return resumptionMasterSecret;
 290     }
 291 
 292     synchronized SecretKey getPreSharedKey() {
 293         return preSharedKey;





 294     }
 295 
 296     synchronized SecretKey consumePreSharedKey() {

 297         try {
 298             return preSharedKey;
 299         } finally {
 300             preSharedKey = null;

 301         }
 302     }
 303 
 304     int getTicketAgeAdd() {
 305         return ticketAgeAdd;
 306     }
 307 
 308     String getIdentificationProtocol() {
 309         return this.identificationProtocol;
 310     }
 311 
 312     /* PSK identities created from new_session_ticket messages should only
 313      * be used once. This method will return the identity and then clear it
 314      * so it cannot be used again.
 315      */
 316     synchronized byte[] consumePskIdentity() {

 317         try {
 318             return pskIdentity;
 319         } finally {
 320             pskIdentity = null;

 321         }
 322     }
 323 
 324     void setPeerCertificates(X509Certificate[] peer) {
 325         if (peerCerts == null) {
 326             peerCerts = peer;
 327         }
 328     }
 329 
 330     void setLocalCertificates(X509Certificate[] local) {
 331         localCerts = local;
 332     }
 333 
 334     void setLocalPrivateKey(PrivateKey privateKey) {
 335         localPrivateKey = privateKey;
 336     }
 337 
 338     void setPeerSupportedSignatureAlgorithms(
 339             Collection<SignatureScheme> signatureSchemes) {
 340         peerSupportedSignAlgs =


 376         if (responses != null && !responses.isEmpty()) {
 377             statusResponses = responses;
 378         } else {
 379             statusResponses = Collections.emptyList();
 380         }
 381     }
 382 
 383     /**
 384      * Returns true iff this session may be resumed ... sessions are
 385      * usually resumable.  Security policies may suggest otherwise,
 386      * for example sessions that haven't been used for a while (say,
 387      * a working day) won't be resumable, and sessions might have a
 388      * maximum lifetime in any case.
 389      */
 390     boolean isRejoinable() {
 391         return sessionId != null && sessionId.length() != 0 &&
 392             !invalidated && isLocalAuthenticationValid();
 393     }
 394 
 395     @Override
 396     public synchronized boolean isValid() {
 397         return isRejoinable();





 398     }
 399 
 400     /**
 401      * Check if the authentication used when establishing this session
 402      * is still valid. Returns true if no authentication was used
 403      */
 404     private boolean isLocalAuthenticationValid() {
 405         if (localPrivateKey != null) {
 406             try {
 407                 // if the private key is no longer valid, getAlgorithm()
 408                 // should throw an exception
 409                 // (e.g. Smartcard has been removed from the reader)
 410                 localPrivateKey.getAlgorithm();
 411             } catch (Exception e) {
 412                 invalidate();
 413                 return false;
 414             }
 415         }
 416 
 417         return true;


 760     /**
 761      * Need to provide the port info for caching sessions based on
 762      * host and port. Accessed by SSLSessionContextImpl
 763      */
 764     @Override
 765     public int getPeerPort() {
 766         return port;
 767     }
 768 
 769     void setContext(SSLSessionContextImpl ctx) {
 770         if (context == null) {
 771             context = ctx;
 772         }
 773     }
 774 
 775     /**
 776      * Invalidate a session.  Active connections may still exist, but
 777      * no connections will be able to rejoin this session.
 778      */
 779     @Override
 780     public synchronized void invalidate() {
 781         //
 782         // Can't invalidate the NULL session -- this would be
 783         // attempted when we get a handshaking error on a brand
 784         // new connection, with no "real" session yet.
 785         //
 786         if (this == nullSession) {
 787             return;
 788         }







 789 
 790         if (context != null) {
 791             context.remove(sessionId);
 792             context = null;
 793         }
 794         if (invalidated) {
 795             return;
 796         }
 797         invalidated = true;
 798         if (SSLLogger.isOn && SSLLogger.isOn("session")) {
 799              SSLLogger.finest("Invalidated session:  " + this);
 800         }
 801         for (SSLSessionImpl child : childSessions) {
 802             child.invalidate();
 803         }
 804     }
 805 
 806     /*
 807      * Table of application-specific session data indexed by an application
 808      * key and the calling security context. This is important since
 809      * sessions can be shared across different protection domains.
 810      */
 811     private final ConcurrentHashMap<SecureKey, Object> boundValues;
 812 
 813     /**
 814      * Assigns a session value.  Session change events are given if
 815      * appropriate, to any original value as well as the new value.
 816      */
 817     @Override
 818     public void putValue(String key, Object value) {
 819         if ((key == null) || (value == null)) {
 820             throw new IllegalArgumentException("arguments can not be null");
 821         }
 822 


 895      * Use large packet sizes now or follow RFC 2246 packet sizes (2^14)
 896      * until changed.
 897      *
 898      * In the TLS specification (section 6.2.1, RFC2246), it is not
 899      * recommended that the plaintext has more than 2^14 bytes.
 900      * However, some TLS implementations violate the specification.
 901      * This is a workaround for interoperability with these stacks.
 902      *
 903      * Application could accept large fragments up to 2^15 bytes by
 904      * setting the system property jsse.SSLEngine.acceptLargeFragments
 905      * to "true".
 906      */
 907     private boolean acceptLargeFragments =
 908             Utilities.getBooleanProperty(
 909                     "jsse.SSLEngine.acceptLargeFragments", false);
 910 
 911     /**
 912      * Expand the buffer size of both SSL/TLS network packet and
 913      * application data.
 914      */
 915     protected synchronized void expandBufferSizes() {
 916         acceptLargeFragments = true;





 917     }
 918 
 919     /**
 920      * Gets the current size of the largest SSL/TLS packet that is expected
 921      * when using this session.
 922      */
 923     @Override
 924     public synchronized int getPacketBufferSize() {
 925         // Use the bigger packet size calculated from maximumPacketSize
 926         // and negotiatedMaxFragLen.
 927         int packetSize = 0;
 928         if (negotiatedMaxFragLen > 0) {
 929             packetSize = cipherSuite.calculatePacketSize(
 930                     negotiatedMaxFragLen, protocolVersion,
 931                     protocolVersion.isDTLS);
 932         }


 933 
 934         if (maximumPacketSize > 0) {
 935             return (maximumPacketSize > packetSize) ?
 936                     maximumPacketSize : packetSize;
 937         }
 938 
 939         if (packetSize != 0) {
 940            return packetSize;
 941         }
 942 
 943         if (protocolVersion.isDTLS) {
 944             return DTLSRecord.maxRecordSize;
 945         } else {
 946             return acceptLargeFragments ?
 947                     SSLRecord.maxLargeRecordSize : SSLRecord.maxRecordSize;



 948         }
 949     }
 950 
 951     /**
 952      * Gets the current size of the largest application data that is
 953      * expected when using this session.
 954      */
 955     @Override
 956     public synchronized int getApplicationBufferSize() {
 957         // Use the bigger fragment size calculated from maximumPacketSize
 958         // and negotiatedMaxFragLen.
 959         int fragmentSize = 0;
 960         if (maximumPacketSize > 0) {
 961             fragmentSize = cipherSuite.calculateFragSize(
 962                     maximumPacketSize, protocolVersion,
 963                     protocolVersion.isDTLS);
 964         }


 965 
 966         if (negotiatedMaxFragLen > 0) {
 967             return (negotiatedMaxFragLen > fragmentSize) ?
 968                     negotiatedMaxFragLen : fragmentSize;
 969         }
 970 
 971         if (fragmentSize != 0) {
 972             return fragmentSize;
 973         }
 974 
 975         if (protocolVersion.isDTLS) {
 976             return Record.maxDataSize;
 977         } else {
 978             int maxPacketSize = acceptLargeFragments ?
 979                         SSLRecord.maxLargeRecordSize : SSLRecord.maxRecordSize;
 980             return (maxPacketSize - SSLRecord.headerSize);



 981         }
 982     }
 983 
 984     /**
 985      * Sets the negotiated maximum fragment length, as specified by the
 986      * max_fragment_length ClientHello extension in RFC 6066.
 987      *
 988      * @param  negotiatedMaxFragLen
 989      *         the negotiated maximum fragment length, or {@code -1} if
 990      *         no such length has been negotiated.
 991      */
 992     synchronized void setNegotiatedMaxFragSize(
 993             int negotiatedMaxFragLen) {
 994 
 995         this.negotiatedMaxFragLen = negotiatedMaxFragLen;




 996     }
 997 
 998     /**
 999      * Get the negotiated maximum fragment length, as specified by the
1000      * max_fragment_length ClientHello extension in RFC 6066.
1001      *
1002      * @return the negotiated maximum fragment length, or {@code -1} if
1003      *         no such length has been negotiated.
1004      */
1005     synchronized int getNegotiatedMaxFragSize() {
1006         return negotiatedMaxFragLen;





1007     }
1008 
1009     synchronized void setMaximumPacketSize(int maximumPacketSize) {
1010         this.maximumPacketSize = maximumPacketSize;





1011     }
1012 
1013     synchronized int getMaximumPacketSize() {
1014         return maximumPacketSize;





1015     }
1016 
1017     /**
1018      * Gets an array of supported signature algorithm names that the local
1019      * side is willing to verify.
1020      */
1021     @Override
1022     public String[] getLocalSupportedSignatureAlgorithms() {
1023         return SignatureScheme.getAlgorithmNames(localSupportedSignAlgs);
1024     }
1025 
1026     /**
1027      * Gets an array of supported signature schemes that the local side is
1028      * willing to verify.
1029      */
1030     public Collection<SignatureScheme> getLocalSupportedSignatureSchemes() {
1031         return localSupportedSignAlgs;
1032     }
1033 
1034     /**


< prev index next >