1 /*
   2  * Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.security.ssl;
  27 
  28 import java.util.ArrayList;
  29 import java.util.Collections;
  30 import java.util.Enumeration;
  31 import java.util.Locale;
  32 import javax.net.ssl.SSLSession;
  33 import javax.net.ssl.SSLSessionContext;
  34 
  35 import sun.security.action.GetIntegerAction;
  36 import sun.security.action.GetPropertyAction;
  37 import sun.security.util.Cache;
  38 
  39 
  40 /**
  41  * @systemProperty jdk.tls.server.enableSessionTicketExtension} determines if the
  42  * server will provide stateless session tickets, if the client supports it,
  43  * as described in RFC 5077 and RFC 8446.  a stateless session ticket
  44  * contains the encrypted server's state which saves server resources.
  45  *
  46  * {@systemProperty jdk.tls.client.enableSessionTicketExtension} determines if the
  47  * client will send an extension in the ClientHello in the pre-TLS 1.3.
  48  * This extension allows the client to accept the server's session state for
  49  * Server Side stateless resumption (RFC 5077).  Setting the property to
  50  * "true" turns this on, by default it is false.  For TLS 1.3, the system
  51  * property is not needed as this support is part of the spec.
  52  *
  53  * {@systemProperty jdk.tls.server.sessionTicketTimeout} determines how long
  54  * a session in the server cache or the stateless resumption tickets are
  55  * available for use.  The value set by the property can be modified by
  56  * {@code SSLSessionContext.setSessionTimeout()} during runtime.
  57  *
  58  */
  59 
  60 final class SSLSessionContextImpl implements SSLSessionContext {
  61     private final static int DEFAULT_MAX_CACHE_SIZE = 20480;
  62     // Default lifetime of a session. 24 hours
  63     final static int DEFAULT_SESSION_TIMEOUT = 86400;
  64 
  65     private final Cache<SessionId, SSLSessionImpl> sessionCache;
  66                                         // session cache, session id as key
  67     private final Cache<String, SSLSessionImpl> sessionHostPortCache;
  68                                         // session cache, "host:port" as key
  69     private int cacheLimit;             // the max cache size
  70     private int timeout;                // timeout in seconds
  71 
  72     // Does this context support stateless session (RFC 5077)
  73     private boolean statelessSession = true;
  74 
  75     // package private
  76     SSLSessionContextImpl(boolean server) {
  77         timeout = DEFAULT_SESSION_TIMEOUT;
  78         cacheLimit = getDefaults(server);    // default cache size
  79 
  80         // use soft reference
  81         sessionCache = Cache.newSoftMemoryCache(cacheLimit, timeout);
  82         sessionHostPortCache = Cache.newSoftMemoryCache(cacheLimit, timeout);
  83     }
  84 
  85     // Stateless sessions when available, but there is a cache
  86     boolean statelessEnabled() {
  87         return statelessSession;
  88     }
  89 
  90     /**
  91      * Returns the <code>SSLSession</code> bound to the specified session id.
  92      */
  93     @Override
  94     public SSLSession getSession(byte[] sessionId) {
  95         if (sessionId == null) {
  96             throw new NullPointerException("session id cannot be null");
  97         }
  98 
  99         SSLSessionImpl sess = sessionCache.get(new SessionId(sessionId));
 100         if (!isTimedout(sess)) {
 101             return sess;
 102         }
 103 
 104         return null;
 105     }
 106 
 107     /**
 108      * Returns an enumeration of the active SSL sessions.
 109      */
 110     @Override
 111     public Enumeration<byte[]> getIds() {
 112         SessionCacheVisitor scVisitor = new SessionCacheVisitor();
 113         sessionCache.accept(scVisitor);
 114 
 115         return scVisitor.getSessionIds();
 116     }
 117 
 118     /**
 119      * Sets the timeout limit for cached <code>SSLSession</code> objects
 120      *
 121      * Note that after reset the timeout, the cached session before
 122      * should be timed within the shorter one of the old timeout and the
 123      * new timeout.
 124      */
 125     @Override
 126     public void setSessionTimeout(int seconds)
 127                  throws IllegalArgumentException {
 128         if (seconds < 0) {
 129             throw new IllegalArgumentException();
 130         }
 131 
 132         if (timeout != seconds) {
 133             sessionCache.setTimeout(seconds);
 134             sessionHostPortCache.setTimeout(seconds);
 135             timeout = seconds;
 136         }
 137     }
 138 
 139     /**
 140      * Gets the timeout limit for cached <code>SSLSession</code> objects
 141      */
 142     @Override
 143     public int getSessionTimeout() {
 144         return timeout;
 145     }
 146 
 147     /**
 148      * Sets the size of the cache used for storing
 149      * <code>SSLSession</code> objects.
 150      */
 151     @Override
 152     public void setSessionCacheSize(int size)
 153                  throws IllegalArgumentException {
 154         if (size < 0)
 155             throw new IllegalArgumentException();
 156 
 157         if (cacheLimit != size) {
 158             sessionCache.setCapacity(size);
 159             sessionHostPortCache.setCapacity(size);
 160             cacheLimit = size;
 161         }
 162     }
 163 
 164     /**
 165      * Gets the size of the cache used for storing
 166      * <code>SSLSession</code> objects.
 167      */
 168     @Override
 169     public int getSessionCacheSize() {
 170         return cacheLimit;
 171     }
 172 
 173     // package-private method, used ONLY by ServerHandshaker
 174     SSLSessionImpl get(byte[] id) {
 175         return (SSLSessionImpl)getSession(id);
 176     }
 177 
 178     // package-private method, used ONLY by ClientHandshaker
 179     SSLSessionImpl get(String hostname, int port) {
 180         /*
 181          * If no session caching info is available, we won't
 182          * get one, so exit before doing a lookup.
 183          */
 184         if (hostname == null && port == -1) {
 185             return null;
 186         }
 187 
 188         SSLSessionImpl sess = sessionHostPortCache.get(getKey(hostname, port));
 189         if (!isTimedout(sess)) {
 190             return sess;
 191         }
 192 
 193         return null;
 194     }
 195 
 196     private static String getKey(String hostname, int port) {
 197         return (hostname + ":" + port).toLowerCase(Locale.ENGLISH);
 198     }
 199 
 200     // cache a SSLSession
 201     //
 202     // In SunJSSE implementation, a session is created while getting a
 203     // client hello or a server hello message, and cached while the
 204     // handshaking finished.
 205     // Here we time the session from the time it cached instead of the
 206     // time it created, which is a little longer than the expected. So
 207     // please do check isTimedout() while getting entry from the cache.
 208     void put(SSLSessionImpl s) {
 209         sessionCache.put(s.getSessionId(), s);
 210 
 211         // If no hostname/port info is available, don't add this one.
 212         if ((s.getPeerHost() != null) && (s.getPeerPort() != -1)) {
 213             sessionHostPortCache.put(
 214                 getKey(s.getPeerHost(), s.getPeerPort()), s);
 215         }
 216 
 217         s.setContext(this);
 218     }
 219 
 220     // package-private method, remove a cached SSLSession
 221     void remove(SessionId key) {
 222         SSLSessionImpl s = sessionCache.get(key);
 223         if (s != null) {
 224             sessionCache.remove(key);
 225             sessionHostPortCache.remove(
 226                     getKey(s.getPeerHost(), s.getPeerPort()));
 227         }
 228     }
 229 
 230     private int getDefaults(boolean server) {
 231         try {
 232             String st;
 233 
 234             // Property for Session Cache state
 235             if (server) {
 236                 st = GetPropertyAction.privilegedGetProperty(
 237                         "jdk.tls.server.enableSessionTicketExtension", "true");
 238             } else {
 239                 st = GetPropertyAction.privilegedGetProperty(
 240                         "jdk.tls.client.enableSessionTicketExtension", "true");
 241             }
 242             if (st.compareToIgnoreCase("false") == 0) {
 243                 statelessSession = false;
 244             }
 245 
 246             // Property for Session Ticket Timeout.  The value can be changed
 247             // by SSLSessionContext.setSessionTimeout(int)
 248             String s = GetPropertyAction.privilegedGetProperty(
 249                     "jdk.tls.server.sessionTicketTimeout");
 250             if (s != null) {
 251                 try {
 252                     int t = Integer.parseInt(s);
 253                     if (t < 0 ||
 254                             t > NewSessionTicket.MAX_TICKET_LIFETIME) {
 255                         timeout = DEFAULT_SESSION_TIMEOUT;
 256                         if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
 257                             SSLLogger.warning("Invalid timeout given " +
 258                                     "jdk.tls.server.sessionTicketTimeout: " + t +
 259                                     ".  Set to default value " + timeout);
 260                         }
 261                     } else {
 262                         timeout = t;
 263                     }
 264                 } catch (NumberFormatException e) {
 265                     setSessionTimeout(DEFAULT_SESSION_TIMEOUT);
 266                     if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
 267                         SSLLogger.warning("Invalid timeout for " +
 268                                 "jdk.tls.server.sessionTicketTimeout: " + s +
 269                                 ".  Set to default value " + timeout);
 270 
 271                     }
 272                 }
 273             }
 274 
 275             int defaultCacheLimit = GetIntegerAction.privilegedGetProperty(
 276                     "javax.net.ssl.sessionCacheSize", DEFAULT_MAX_CACHE_SIZE);
 277 
 278             if (defaultCacheLimit >= 0) {
 279                 return defaultCacheLimit;
 280             } else if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
 281                 SSLLogger.warning(
 282                     "invalid System Property javax.net.ssl.sessionCacheSize, " +
 283                     "use the default session cache size (" +
 284                     DEFAULT_MAX_CACHE_SIZE + ") instead");
 285             }
 286         } catch (Exception e) {
 287             // unlikely, log it for safe
 288             if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
 289                 SSLLogger.warning(
 290                     "the System Property javax.net.ssl.sessionCacheSize is " +
 291                     "not available, use the default value (" +
 292                     DEFAULT_MAX_CACHE_SIZE + ") instead");
 293             }
 294         }
 295 
 296         return DEFAULT_MAX_CACHE_SIZE;
 297     }
 298 
 299     private boolean isTimedout(SSLSession sess) {
 300         if (timeout == 0) {
 301             return false;
 302         }
 303 
 304         if ((sess != null) && ((sess.getCreationTime() + timeout * 1000L)
 305                                         <= (System.currentTimeMillis()))) {
 306             sess.invalidate();
 307             return true;
 308         }
 309 
 310         return false;
 311     }
 312 
 313     private final class SessionCacheVisitor
 314             implements Cache.CacheVisitor<SessionId, SSLSessionImpl> {
 315         ArrayList<byte[]> ids = null;
 316 
 317         // public void visit(java.util.Map<K,V> map) {}
 318         @Override
 319         public void visit(java.util.Map<SessionId, SSLSessionImpl> map) {
 320             ids = new ArrayList<>(map.size());
 321 
 322             for (SessionId key : map.keySet()) {
 323                 SSLSessionImpl value = map.get(key);
 324                 if (!isTimedout(value)) {
 325                     ids.add(key.getId());
 326                 }
 327             }
 328         }
 329 
 330         Enumeration<byte[]> getSessionIds() {
 331             return  ids != null ? Collections.enumeration(ids) :
 332                                   Collections.emptyEnumeration();
 333         }
 334     }
 335 }