Java tutorial
/* * Licensed to the Apache Software Foundation (ASF) under one or more contributor license * agreements. See the NOTICE file distributed with this work for additional information regarding * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance with the License. You may obtain a * copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software distributed under the License * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express * or implied. See the License for the specific language governing permissions and limitations under * the License. */ package org.apache.geode.internal.net; import java.io.FileInputStream; import java.io.IOException; import java.net.BindException; import java.net.Inet4Address; import java.net.Inet6Address; import java.net.InetAddress; import java.net.InetSocketAddress; import java.net.NetworkInterface; import java.net.ServerSocket; import java.net.Socket; import java.net.SocketAddress; import java.net.SocketException; import java.net.UnknownHostException; import java.nio.channels.ServerSocketChannel; import java.security.GeneralSecurityException; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.Principal; import java.security.PrivateKey; import java.security.SecureRandom; import java.security.UnrecoverableKeyException; import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.Enumeration; import java.util.HashMap; import java.util.HashSet; import java.util.Hashtable; import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.Properties; import java.util.Random; import java.util.Set; import javax.naming.Context; import javax.naming.NamingEnumeration; import javax.naming.directory.Attribute; import javax.naming.directory.Attributes; import javax.naming.directory.DirContext; import javax.naming.directory.InitialDirContext; import javax.net.ServerSocketFactory; import javax.net.SocketFactory; import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLException; import javax.net.ssl.SSLHandshakeException; import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSocket; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509ExtendedKeyManager; import org.apache.commons.lang.StringUtils; import org.apache.logging.log4j.Logger; import org.apache.geode.GemFireConfigException; import org.apache.geode.SystemConnectException; import org.apache.geode.SystemFailure; import org.apache.geode.admin.internal.InetAddressUtil; import org.apache.geode.cache.wan.GatewaySender; import org.apache.geode.cache.wan.GatewayTransportFilter; import org.apache.geode.distributed.ClientSocketFactory; import org.apache.geode.distributed.internal.DistributionConfig; import org.apache.geode.distributed.internal.DistributionConfigImpl; import org.apache.geode.distributed.internal.InternalDistributedSystem; import org.apache.geode.internal.ClassPathLoader; import org.apache.geode.internal.ConnectionWatcher; import org.apache.geode.internal.GfeConsoleReaderFactory; import org.apache.geode.internal.GfeConsoleReaderFactory.GfeConsoleReader; import org.apache.geode.internal.admin.SSLConfig; import org.apache.geode.internal.cache.wan.TransportFilterServerSocket; import org.apache.geode.internal.cache.wan.TransportFilterSocketFactory; import org.apache.geode.internal.i18n.LocalizedStrings; import org.apache.geode.internal.logging.LogService; import org.apache.geode.internal.logging.log4j.LocalizedMessage; import org.apache.geode.internal.security.SecurableCommunicationChannel; import org.apache.geode.internal.util.PasswordUtil; /** * Analyze configuration data (gemfire.properties) and configure sockets accordingly for SSL. * <p> * gemfire.useSSL = (true|false) default false.<br/> * gemfire.ssl.debug = (true|false) default false.<br/> * gemfire.ssl.needClientAuth = (true|false) default true.<br/> * gemfire.ssl.protocols = <i>list of protocols</i><br/> * gemfire.ssl.ciphers = <i>list of cipher suites</i><br/> * <p> * The following may be included to configure the certificates used by the Sun Provider. * <p> * javax.net.ssl.trustStore = <i>pathname</i><br/> * javax.net.ssl.trustStorePassword = <i>password</i><br/> * javax.net.ssl.keyStore = <i>pathname</i><br/> * javax.net.ssl.keyStorePassword = <i>password</i><br/> * <p> * Additional properties will be set as System properties to be available as needed by other * provider implementations. */ public class SocketCreator { private static final Logger logger = LogService.getLogger(); /** * Optional system property to enable GemFire usage of link-local addresses */ public static final String USE_LINK_LOCAL_ADDRESSES_PROPERTY = DistributionConfig.GEMFIRE_PREFIX + "net.useLinkLocalAddresses"; /** * True if GemFire should use link-local addresses */ private static final boolean useLinkLocalAddresses = Boolean.getBoolean(USE_LINK_LOCAL_ADDRESSES_PROPERTY); /** * we cache localHost to avoid bug #40619, access-violation in native code */ private static final InetAddress localHost; /** * all classes should use this variable to determine whether to use IPv4 or IPv6 addresses */ private static boolean useIPv6Addresses = !Boolean.getBoolean("java.net.preferIPv4Stack") && Boolean.getBoolean("java.net.preferIPv6Addresses"); private static final Map<InetAddress, String> hostNames = new HashMap<>(); /** * flag to force always using DNS (regardless of the fact that these lookups can hang) */ public static final boolean FORCE_DNS_USE = Boolean .getBoolean(DistributionConfig.GEMFIRE_PREFIX + "forceDnsUse"); /** * set this to false to inhibit host name lookup */ public static volatile boolean resolve_dns = true; /** * True if this SocketCreator has been initialized and is ready to use */ private boolean ready = false; /** * Only print this SocketCreator's config once */ private boolean configShown = false; /** * context for SSL socket factories */ private SSLContext sslContext; private SSLConfig sslConfig; static { InetAddress inetAddress = null; try { inetAddress = InetAddress.getByAddress(InetAddress.getLocalHost().getAddress()); if (inetAddress.isLoopbackAddress()) { InetAddress ipv4Fallback = null; InetAddress ipv6Fallback = null; // try to find a non-loopback address Set myInterfaces = getMyAddresses(); boolean preferIPv6 = SocketCreator.useIPv6Addresses; String lhName = null; for (Iterator<InetAddress> it = myInterfaces.iterator(); lhName == null && it.hasNext();) { InetAddress addr = it.next(); if (addr.isLoopbackAddress() || addr.isAnyLocalAddress()) { break; } boolean ipv6 = addr instanceof Inet6Address; boolean ipv4 = addr instanceof Inet4Address; if ((preferIPv6 && ipv6) || (!preferIPv6 && ipv4)) { String addrName = reverseDNS(addr); if (inetAddress.isLoopbackAddress()) { inetAddress = addr; lhName = addrName; } else if (addrName != null) { inetAddress = addr; lhName = addrName; } } else { if (preferIPv6 && ipv4 && ipv4Fallback == null) { ipv4Fallback = addr; } else if (!preferIPv6 && ipv6 && ipv6Fallback == null) { ipv6Fallback = addr; } } } // vanilla Ubuntu installations will have a usable IPv6 address when // running as a guest OS on an IPv6-enabled machine. We also look for // the alternative IPv4 configuration. if (inetAddress.isLoopbackAddress()) { if (ipv4Fallback != null) { inetAddress = ipv4Fallback; SocketCreator.useIPv6Addresses = false; } else if (ipv6Fallback != null) { inetAddress = ipv6Fallback; SocketCreator.useIPv6Addresses = true; } } } } catch (UnknownHostException e) { } localHost = inetAddress; } /** * A factory used to create client <code>Sockets</code>. */ private ClientSocketFactory clientSocketFactory; /** * Whether to enable TCP keep alive for sockets. This boolean is controlled by the * gemfire.setTcpKeepAlive java system property. If not set then GemFire will enable keep-alive on * server->client and p2p connections. */ public static final boolean ENABLE_TCP_KEEP_ALIVE; static { // bug #49484 - customers want tcp/ip keep-alive turned on by default // to avoid dropped connections. It can be turned off by setting this // property to false String str = System.getProperty(DistributionConfig.GEMFIRE_PREFIX + "setTcpKeepAlive"); if (str != null) { ENABLE_TCP_KEEP_ALIVE = Boolean.valueOf(str); } else { ENABLE_TCP_KEEP_ALIVE = true; } } // ------------------------------------------------------------------------- // Constructor // ------------------------------------------------------------------------- /** * Constructs new SocketCreator instance. */ SocketCreator(final SSLConfig sslConfig) { this.sslConfig = sslConfig; initialize(); } // ------------------------------------------------------------------------- // Static instance accessors // ------------------------------------------------------------------------- /** * All GemFire code should use this method instead of InetAddress.getLocalHost(). See bug #40619 */ public static InetAddress getLocalHost() throws UnknownHostException { if (localHost == null) { throw new UnknownHostException(); } return localHost; } /** * All classes should use this instead of relying on the JRE system property */ public static boolean preferIPv6Addresses() { return SocketCreator.useIPv6Addresses; } /** * returns the host name for the given inet address, using a local cache of names to avoid dns * hits and duplicate strings */ public static synchronized String getHostName(InetAddress addr) { String result = (String) hostNames.get(addr); if (result == null) { result = addr.getHostName(); hostNames.put(addr, result); } return result; } /** * returns the host name for the given inet address, using a local cache of names to avoid dns * hits and duplicate strings */ public static synchronized String getCanonicalHostName(InetAddress addr, String hostName) { String result = (String) hostNames.get(addr); if (result == null) { hostNames.put(addr, hostName); return hostName; } return result; } /** * Reset the hostNames caches */ public static synchronized void resetHostNameCache() { hostNames.clear(); } // ------------------------------------------------------------------------- // Initializers (change SocketCreator state) // ------------------------------------------------------------------------- /** * Initialize this SocketCreator. * <p> * Caller must synchronize on the SocketCreator instance. */ @SuppressWarnings("hiding") private void initialize() { try { // set p2p values... if (SecurableCommunicationChannel.CLUSTER.equals(sslConfig.getSecuredCommunicationChannel())) { if (this.sslConfig.isEnabled()) { System.setProperty("p2p.useSSL", "true"); System.setProperty("p2p.oldIO", "true"); System.setProperty("p2p.nodirectBuffers", "true"); } else { System.setProperty("p2p.useSSL", "false"); } } try { if (this.sslConfig.isEnabled() && sslContext == null) { sslContext = createAndConfigureSSLContext(); SSLContext.setDefault(sslContext); } } catch (Exception e) { throw new GemFireConfigException("Error configuring GemFire ssl ", e); } // make sure TCPConduit picks up p2p properties... org.apache.geode.internal.tcp.TCPConduit.init(); initializeClientSocketFactory(); this.ready = true; } catch (VirtualMachineError err) { SystemFailure.initiateFailure(err); // If this ever returns, rethrow the error. We're poisoned // now, so don't let this thread continue. throw err; } catch (Error t) { // Whenever you catch Error or Throwable, you must also // catch VirtualMachineError (see above). However, there is // _still_ a possibility that you are dealing with a cascading // error condition, so you also need to check to see if the JVM // is still usable: SystemFailure.checkFailure(); t.printStackTrace(); throw t; } catch (RuntimeException re) { re.printStackTrace(); throw re; } } /** * Creates & configures the SSLContext when SSL is enabled. * * @return new SSLContext configured using the given protocols & properties * * @throws GeneralSecurityException if security information can not be found * @throws IOException if information can not be loaded */ private SSLContext createAndConfigureSSLContext() throws GeneralSecurityException, IOException { SSLContext newSSLContext = getSSLContextInstance(); KeyManager[] keyManagers = getKeyManagers(); TrustManager[] trustManagers = getTrustManagers(); newSSLContext.init(keyManagers, trustManagers, null /* use the default secure random */); return newSSLContext; } /** * Used by CacheServerLauncher and SystemAdmin to read the properties from console * * @param env Map in which the properties are to be read from console. */ public static void readSSLProperties(Map<String, String> env) { readSSLProperties(env, false); } /** * Used to read the properties from console. AgentLauncher calls this method directly & ignores * gemfire.properties. CacheServerLauncher and SystemAdmin call this through * {@link #readSSLProperties(Map)} and do NOT ignore gemfire.properties. * * @param env Map in which the properties are to be read from console. * @param ignoreGemFirePropsFile if <code>false</code> existing gemfire.properties file is read, * if <code>true</code>, properties from gemfire.properties file are ignored. */ public static void readSSLProperties(Map<String, String> env, boolean ignoreGemFirePropsFile) { Properties props = new Properties(); DistributionConfigImpl.loadGemFireProperties(props, ignoreGemFirePropsFile); for (Object entry : props.entrySet()) { Map.Entry<String, String> ent = (Map.Entry<String, String>) entry; // if the value of ssl props is empty, read them from console if (ent.getKey().startsWith(DistributionConfig.SSL_SYSTEM_PROPS_NAME) || ent.getKey().startsWith(DistributionConfig.SYS_PROP_NAME)) { String key = ent.getKey(); if (key.startsWith(DistributionConfig.SYS_PROP_NAME)) { key = key.substring(DistributionConfig.SYS_PROP_NAME.length()); } if (ent.getValue() == null || ent.getValue().trim().equals("")) { GfeConsoleReader consoleReader = GfeConsoleReaderFactory.getDefaultConsoleReader(); if (!consoleReader.isSupported()) { throw new GemFireConfigException( "SSL properties are empty, but a console is not available"); } if (key.toLowerCase().contains("password")) { char[] password = consoleReader.readPassword("Please enter " + key + ": "); env.put(key, PasswordUtil.encrypt(new String(password), false)); } else { String val = consoleReader.readLine("Please enter " + key + ": "); env.put(key, val); } } } } } private SSLContext getSSLContextInstance() { String[] protocols = sslConfig.getProtocolsAsStringArray(); SSLContext sslContext = null; if (protocols != null && protocols.length > 0) { for (String protocol : protocols) { if (!protocol.equals("any")) { try { sslContext = SSLContext.getInstance(protocol); break; } catch (NoSuchAlgorithmException e) { // continue } } } } if (sslContext != null) { return sslContext; } // lookup known algorithms String[] knownAlgorithms = { "SSL", "SSLv2", "SSLv3", "TLS", "TLSv1", "TLSv1.1", "TLSv1.2" }; for (String algo : knownAlgorithms) { try { sslContext = SSLContext.getInstance(algo); break; } catch (NoSuchAlgorithmException e) { // continue } } return sslContext; } private TrustManager[] getTrustManagers() throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException { TrustManager[] trustManagers = null; GfeConsoleReader consoleReader = GfeConsoleReaderFactory.getDefaultConsoleReader(); String trustStoreType = sslConfig.getTruststoreType(); if (StringUtils.isEmpty(trustStoreType)) { // read from console, default on empty if (consoleReader.isSupported()) { trustStoreType = consoleReader .readLine("Please enter the trustStoreType (javax.net.ssl.trustStoreType) : "); } else { trustStoreType = KeyStore.getDefaultType(); } } KeyStore ts = KeyStore.getInstance(trustStoreType); String trustStorePath = sslConfig.getTruststore(); if (StringUtils.isEmpty(trustStorePath)) { if (consoleReader.isSupported()) { trustStorePath = consoleReader .readLine("Please enter the trustStore location (javax.net.ssl.trustStore) : "); } } FileInputStream fis = new FileInputStream(trustStorePath); String passwordString = sslConfig.getTruststorePassword(); char[] password = null; if (passwordString != null) { if (passwordString.trim().equals("")) { if (!StringUtils.isEmpty(passwordString)) { String toDecrypt = "encrypted(" + passwordString + ")"; passwordString = PasswordUtil.decrypt(toDecrypt); password = passwordString.toCharArray(); } // read from the console if (StringUtils.isEmpty(passwordString) && consoleReader.isSupported()) { password = consoleReader.readPassword( "Please enter password for trustStore (javax.net.ssl.trustStorePassword) : "); } } else { password = passwordString.toCharArray(); } } ts.load(fis, password); // default algorithm can be changed by setting property "ssl.TrustManagerFactory.algorithm" in // security properties TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(ts); trustManagers = tmf.getTrustManagers(); // follow the security tip in java doc if (password != null) { java.util.Arrays.fill(password, ' '); } return trustManagers; } private KeyManager[] getKeyManagers() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException { GfeConsoleReader consoleReader = GfeConsoleReaderFactory.getDefaultConsoleReader(); KeyManager[] keyManagers = null; String keyStoreType = sslConfig.getKeystoreType(); if (StringUtils.isEmpty(keyStoreType)) { // read from console, default on empty if (consoleReader.isSupported()) { keyStoreType = consoleReader .readLine("Please enter the keyStoreType (javax.net.ssl.keyStoreType) : "); } else { keyStoreType = KeyStore.getDefaultType(); } } KeyStore keyStore = KeyStore.getInstance(keyStoreType); String keyStoreFilePath = sslConfig.getKeystore(); if (StringUtils.isEmpty(keyStoreFilePath)) { if (consoleReader.isSupported()) { keyStoreFilePath = consoleReader .readLine("Please enter the keyStore location (javax.net.ssl.keyStore) : "); } else { keyStoreFilePath = System.getProperty("user.home") + System.getProperty("file.separator") + ".keystore"; } } FileInputStream fileInputStream = new FileInputStream(keyStoreFilePath); String passwordString = sslConfig.getKeystorePassword(); char[] password = null; if (passwordString != null) { if (passwordString.trim().equals("")) { String encryptedPass = System.getenv("javax.net.ssl.keyStorePassword"); if (!StringUtils.isEmpty(encryptedPass)) { String toDecrypt = "encrypted(" + encryptedPass + ")"; passwordString = PasswordUtil.decrypt(toDecrypt); password = passwordString.toCharArray(); } // read from the console if (StringUtils.isEmpty(passwordString) && consoleReader != null) { password = consoleReader .readPassword("Please enter password for keyStore (javax.net.ssl.keyStorePassword) : "); } } else { password = passwordString.toCharArray(); } } keyStore.load(fileInputStream, password); // default algorithm can be changed by setting property "ssl.KeyManagerFactory.algorithm" in // security properties KeyManagerFactory keyManagerFactory = KeyManagerFactory .getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(keyStore, password); keyManagers = keyManagerFactory.getKeyManagers(); // follow the security tip in java doc if (password != null) { java.util.Arrays.fill(password, ' '); } KeyManager[] extendedKeyManagers = new KeyManager[keyManagers.length]; for (int i = 0; i < keyManagers.length; i++) { extendedKeyManagers[i] = new ExtendedAliasKeyManager(keyManagers[i], sslConfig.getAlias()); } return extendedKeyManagers; } private static final class ExtendedAliasKeyManager extends X509ExtendedKeyManager { private final X509ExtendedKeyManager delegate; private final String keyAlias; /** * Constructor. * * @param mgr The X509KeyManager used as a delegate * @param keyAlias The alias name of the server's keypair and supporting certificate chain */ ExtendedAliasKeyManager(KeyManager mgr, String keyAlias) { this.delegate = (X509ExtendedKeyManager) mgr; this.keyAlias = keyAlias; } @Override public String[] getClientAliases(final String s, final Principal[] principals) { return delegate.getClientAliases(s, principals); } @Override public String chooseClientAlias(final String[] strings, final Principal[] principals, final Socket socket) { if (!StringUtils.isEmpty(this.keyAlias)) { return keyAlias; } return delegate.chooseClientAlias(strings, principals, socket); } @Override public String[] getServerAliases(final String s, final Principal[] principals) { return delegate.getServerAliases(s, principals); } @Override public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) { if (!StringUtils.isEmpty(this.keyAlias)) { PrivateKey key = this.delegate.getPrivateKey(this.keyAlias); return getKeyAlias(keyType, key); } return this.delegate.chooseServerAlias(keyType, issuers, socket); } @Override public X509Certificate[] getCertificateChain(final String s) { if (!StringUtils.isEmpty(this.keyAlias)) { return delegate.getCertificateChain(keyAlias); } return delegate.getCertificateChain(s); } @Override public PrivateKey getPrivateKey(final String alias) { return delegate.getPrivateKey(alias); } @Override public String chooseEngineServerAlias(final String keyType, final Principal[] principals, final SSLEngine sslEngine) { if (!StringUtils.isEmpty(this.keyAlias)) { PrivateKey key = this.delegate.getPrivateKey(this.keyAlias); return getKeyAlias(keyType, key); } return this.delegate.chooseEngineServerAlias(keyType, principals, sslEngine); } private String getKeyAlias(final String keyType, final PrivateKey key) { if (key != null) { if (key.getAlgorithm().equals(keyType)) { return this.keyAlias; } else { return null; } } else { return null; } } } // ------------------------------------------------------------------------- // Public methods // ------------------------------------------------------------------------- /** * Returns true if this SocketCreator is configured to use SSL. */ public boolean useSSL() { return this.sslConfig.isEnabled(); } /** * Return a ServerSocket possibly configured for SSL. SSL configuration is left up to JSSE * properties in java.security file. */ public ServerSocket createServerSocket(int nport, int backlog) throws IOException { return createServerSocket(nport, backlog, null); } public ServerSocket createServerSocket(int nport, int backlog, InetAddress bindAddr, List<GatewayTransportFilter> transportFilters, int socketBufferSize) throws IOException { if (transportFilters.isEmpty()) { return createServerSocket(nport, backlog, bindAddr, socketBufferSize); } else { printConfig(); ServerSocket result = new TransportFilterServerSocket(transportFilters); result.setReuseAddress(true); // Set the receive buffer size before binding the socket so // that large buffers will be allocated on accepted sockets (see // java.net.ServerSocket.setReceiverBufferSize javadocs) result.setReceiveBufferSize(socketBufferSize); try { result.bind(new InetSocketAddress(bindAddr, nport), backlog); } catch (BindException e) { BindException throwMe = new BindException( LocalizedStrings.SocketCreator_FAILED_TO_CREATE_SERVER_SOCKET_ON_0_1 .toLocalizedString(new Object[] { bindAddr, Integer.valueOf(nport) })); throwMe.initCause(e); throw throwMe; } return result; } } /** * Return a ServerSocket possibly configured for SSL. SSL configuration is left up to JSSE * properties in java.security file. */ public ServerSocket createServerSocket(int nport, int backlog, InetAddress bindAddr) throws IOException { return createServerSocket(nport, backlog, bindAddr, -1, sslConfig.isEnabled()); } public ServerSocket createServerSocket(int nport, int backlog, InetAddress bindAddr, int socketBufferSize) throws IOException { return createServerSocket(nport, backlog, bindAddr, socketBufferSize, sslConfig.isEnabled()); } private ServerSocket createServerSocket(int nport, int backlog, InetAddress bindAddr, int socketBufferSize, boolean sslConnection) throws IOException { printConfig(); if (sslConnection) { if (this.sslContext == null) { throw new GemFireConfigException("SSL not configured correctly, Please look at previous error"); } ServerSocketFactory ssf = this.sslContext.getServerSocketFactory(); SSLServerSocket serverSocket = (SSLServerSocket) ssf.createServerSocket(); serverSocket.setReuseAddress(true); // If necessary, set the receive buffer size before binding the socket so // that large buffers will be allocated on accepted sockets (see // java.net.ServerSocket.setReceiverBufferSize javadocs) if (socketBufferSize != -1) { serverSocket.setReceiveBufferSize(socketBufferSize); } serverSocket.bind(new InetSocketAddress(bindAddr, nport), backlog); finishServerSocket(serverSocket); return serverSocket; } else { // log.info("Opening server socket on " + nport, new Exception("SocketCreation")); ServerSocket result = new ServerSocket(); result.setReuseAddress(true); // If necessary, set the receive buffer size before binding the socket so // that large buffers will be allocated on accepted sockets (see // java.net.ServerSocket.setReceiverBufferSize javadocs) if (socketBufferSize != -1) { result.setReceiveBufferSize(socketBufferSize); } try { result.bind(new InetSocketAddress(bindAddr, nport), backlog); } catch (BindException e) { BindException throwMe = new BindException( LocalizedStrings.SocketCreator_FAILED_TO_CREATE_SERVER_SOCKET_ON_0_1 .toLocalizedString(new Object[] { bindAddr, Integer.valueOf(nport) })); throwMe.initCause(e); throw throwMe; } return result; } } /** * Creates or bind server socket to a random port selected from tcp-port-range which is same as * membership-port-range. * * @param ba * @param backlog * @param isBindAddress * @param tcpBufferSize * * @return Returns the new server socket. * * @throws IOException */ public ServerSocket createServerSocketUsingPortRange(InetAddress ba, int backlog, boolean isBindAddress, boolean useNIO, int tcpBufferSize, int[] tcpPortRange) throws IOException { return createServerSocketUsingPortRange(ba, backlog, isBindAddress, useNIO, tcpBufferSize, tcpPortRange, sslConfig.isEnabled()); } /** * Creates or bind server socket to a random port selected from tcp-port-range which is same as * membership-port-range. * * @param ba * @param backlog * @param isBindAddress * @param tcpBufferSize * @param sslConnection whether to connect using SSL * * @return Returns the new server socket. * * @throws IOException */ public ServerSocket createServerSocketUsingPortRange(InetAddress ba, int backlog, boolean isBindAddress, boolean useNIO, int tcpBufferSize, int[] tcpPortRange, boolean sslConnection) throws IOException { ServerSocket socket = null; int localPort = 0; int startingPort = 0; // Get a random port from range. Random rand = new SecureRandom(); int portLimit = tcpPortRange[1]; int randPort = tcpPortRange[0] + rand.nextInt(tcpPortRange[1] - tcpPortRange[0] + 1); startingPort = randPort; localPort = startingPort; while (true) { if (localPort > portLimit) { if (startingPort != 0) { localPort = tcpPortRange[0]; portLimit = startingPort - 1; startingPort = 0; } else { throw new SystemConnectException( LocalizedStrings.TCPConduit_UNABLE_TO_FIND_FREE_PORT.toLocalizedString()); } } try { if (useNIO) { ServerSocketChannel channl = ServerSocketChannel.open(); socket = channl.socket(); InetSocketAddress addr = new InetSocketAddress(isBindAddress ? ba : null, localPort); socket.bind(addr, backlog); } else { socket = this.createServerSocket(localPort, backlog, isBindAddress ? ba : null, tcpBufferSize, sslConnection); } break; } catch (java.net.SocketException ex) { if (useNIO || SocketCreator.treatAsBindException(ex)) { localPort++; } else { throw ex; } } } return socket; } public static boolean treatAsBindException(SocketException se) { if (se instanceof BindException) { return true; } final String msg = se.getMessage(); return (msg != null && msg.contains("Invalid argument: listen failed")); } /** * Return a client socket. This method is used by client/server clients. */ public Socket connectForClient(String host, int port, int timeout) throws IOException { return connect(InetAddress.getByName(host), port, timeout, null, true, -1); } /** * Return a client socket. This method is used by client/server clients. */ public Socket connectForClient(String host, int port, int timeout, int socketBufferSize) throws IOException { return connect(InetAddress.getByName(host), port, timeout, null, true, socketBufferSize); } /** * Return a client socket. This method is used by peers. */ public Socket connectForServer(InetAddress inetadd, int port) throws IOException { return connect(inetadd, port, 0, null, false, -1); } /** * Return a client socket. This method is used by peers. */ public Socket connectForServer(InetAddress inetadd, int port, int socketBufferSize) throws IOException { return connect(inetadd, port, 0, null, false, socketBufferSize); } /** * Return a client socket, timing out if unable to connect and timeout > 0 (millis). The parameter * <i>timeout</i> is ignored if SSL is being used, as there is no timeout argument in the ssl * socket factory */ public Socket connect(InetAddress inetadd, int port, int timeout, ConnectionWatcher optionalWatcher, boolean clientSide) throws IOException { return connect(inetadd, port, timeout, optionalWatcher, clientSide, -1); } /** * Return a client socket, timing out if unable to connect and timeout > 0 (millis). The parameter * <i>timeout</i> is ignored if SSL is being used, as there is no timeout argument in the ssl * socket factory */ public Socket connect(InetAddress inetadd, int port, int timeout, ConnectionWatcher optionalWatcher, boolean clientSide, int socketBufferSize) throws IOException { return connect(inetadd, port, timeout, optionalWatcher, clientSide, socketBufferSize, sslConfig.isEnabled()); } /** * Return a client socket, timing out if unable to connect and timeout > 0 (millis). The parameter * <i>timeout</i> is ignored if SSL is being used, as there is no timeout argument in the ssl * socket factory */ public Socket connect(InetAddress inetadd, int port, int timeout, ConnectionWatcher optionalWatcher, boolean clientSide, int socketBufferSize, boolean sslConnection) throws IOException { Socket socket = null; SocketAddress sockaddr = new InetSocketAddress(inetadd, port); printConfig(); try { if (sslConnection) { if (this.sslContext == null) { throw new GemFireConfigException("SSL not configured correctly, Please look at previous error"); } SocketFactory sf = this.sslContext.getSocketFactory(); socket = sf.createSocket(); // Optionally enable SO_KEEPALIVE in the OS network protocol. socket.setKeepAlive(ENABLE_TCP_KEEP_ALIVE); // If necessary, set the receive buffer size before connecting the // socket so that large buffers will be allocated on accepted sockets // (see java.net.Socket.setReceiverBufferSize javadocs for details) if (socketBufferSize != -1) { socket.setReceiveBufferSize(socketBufferSize); } if (optionalWatcher != null) { optionalWatcher.beforeConnect(socket); } socket.connect(sockaddr, Math.max(timeout, 0)); configureClientSSLSocket(socket, timeout); return socket; } else { if (clientSide && this.clientSocketFactory != null) { socket = this.clientSocketFactory.createSocket(inetadd, port); } else { socket = new Socket(); // Optionally enable SO_KEEPALIVE in the OS network protocol. socket.setKeepAlive(ENABLE_TCP_KEEP_ALIVE); // If necessary, set the receive buffer size before connecting the // socket so that large buffers will be allocated on accepted sockets // (see java.net.Socket.setReceiverBufferSize javadocs for details) if (socketBufferSize != -1) { socket.setReceiveBufferSize(socketBufferSize); } if (optionalWatcher != null) { optionalWatcher.beforeConnect(socket); } socket.connect(sockaddr, Math.max(timeout, 0)); } return socket; } } finally { if (optionalWatcher != null) { optionalWatcher.afterConnect(socket); } } } /** * Will be a server socket... this one simply registers the listeners. */ public void configureServerSSLSocket(Socket socket) throws IOException { if (socket instanceof SSLSocket) { SSLSocket sslSocket = (SSLSocket) socket; try { sslSocket.startHandshake(); SSLSession session = sslSocket.getSession(); Certificate[] peer = session.getPeerCertificates(); if (logger.isDebugEnabled()) { logger.debug(LocalizedMessage.create(LocalizedStrings.SocketCreator_SSL_CONNECTION_FROM_PEER_0, ((X509Certificate) peer[0]).getSubjectDN())); } } catch (SSLPeerUnverifiedException ex) { if (this.sslConfig.isRequireAuth()) { logger.fatal( LocalizedMessage.create( LocalizedStrings.SocketCreator_SSL_ERROR_IN_AUTHENTICATING_PEER_0_1, new Object[] { socket.getInetAddress(), Integer.valueOf(socket.getPort()) }), ex); throw ex; } } catch (SSLException ex) { logger.fatal( LocalizedMessage.create(LocalizedStrings.SocketCreator_SSL_ERROR_IN_CONNECTING_TO_PEER_0_1, new Object[] { socket.getInetAddress(), Integer.valueOf(socket.getPort()) }), ex); throw ex; } } } // ------------------------------------------------------------------------- // Private implementation methods // ------------------------------------------------------------------------- /** * Configure the SSLServerSocket based on this SocketCreator's settings. */ private void finishServerSocket(SSLServerSocket serverSocket) throws IOException { serverSocket.setUseClientMode(false); if (this.sslConfig.isRequireAuth()) { // serverSocket.setWantClientAuth( true ); serverSocket.setNeedClientAuth(true); } serverSocket.setEnableSessionCreation(true); // restrict protocols String[] protocols = this.sslConfig.getProtocolsAsStringArray(); if (!"any".equalsIgnoreCase(protocols[0])) { serverSocket.setEnabledProtocols(protocols); } // restrict ciphers String[] ciphers = this.sslConfig.getCiphersAsStringArray(); if (!"any".equalsIgnoreCase(ciphers[0])) { serverSocket.setEnabledCipherSuites(ciphers); } } /** * When a socket is accepted from a server socket, it should be passed to this method for SSL * configuration. */ private void configureClientSSLSocket(Socket socket, int timeout) throws IOException { if (socket instanceof SSLSocket) { SSLSocket sslSocket = (SSLSocket) socket; sslSocket.setUseClientMode(true); sslSocket.setEnableSessionCreation(true); String[] protocols = this.sslConfig.getProtocolsAsStringArray(); // restrict cyphers if (protocols != null && !"any".equalsIgnoreCase(protocols[0])) { sslSocket.setEnabledProtocols(protocols); } String[] ciphers = this.sslConfig.getCiphersAsStringArray(); if (ciphers != null && !"any".equalsIgnoreCase(ciphers[0])) { sslSocket.setEnabledCipherSuites(ciphers); } try { if (timeout > 0) { sslSocket.setSoTimeout(timeout); } sslSocket.startHandshake(); SSLSession session = sslSocket.getSession(); Certificate[] peer = session.getPeerCertificates(); if (logger.isDebugEnabled()) { logger.debug(LocalizedMessage.create(LocalizedStrings.SocketCreator_SSL_CONNECTION_FROM_PEER_0, ((X509Certificate) peer[0]).getSubjectDN())); } } catch (SSLHandshakeException ex) { logger.fatal( LocalizedMessage.create(LocalizedStrings.SocketCreator_SSL_ERROR_IN_CONNECTING_TO_PEER_0_1, new Object[] { socket.getInetAddress(), Integer.valueOf(socket.getPort()) }), ex); throw ex; } catch (SSLPeerUnverifiedException ex) { if (this.sslConfig.isRequireAuth()) { logger.fatal(LocalizedMessage .create(LocalizedStrings.SocketCreator_SSL_ERROR_IN_AUTHENTICATING_PEER), ex); throw ex; } } catch (SSLException ex) { logger.fatal( LocalizedMessage.create(LocalizedStrings.SocketCreator_SSL_ERROR_IN_CONNECTING_TO_PEER_0_1, new Object[] { socket.getInetAddress(), Integer.valueOf(socket.getPort()) }), ex); throw ex; } } } /** * Print current configured state to log. */ private void printConfig() { if (!configShown && logger.isDebugEnabled()) { configShown = true; StringBuffer sb = new StringBuffer(); sb.append("SSL Configuration: \n"); sb.append(" ssl-enabled = " + this.sslConfig.isEnabled()).append("\n"); // add other options here.... for (String key : System.getProperties().stringPropertyNames()) { // fix for 46822 if (key.startsWith("javax.net.ssl")) { sb.append(" ").append(key).append(" = ").append(System.getProperty(key)).append("\n"); } } logger.debug(sb.toString()); } } protected void initializeClientSocketFactory() { this.clientSocketFactory = null; String className = System.getProperty(DistributionConfig.GEMFIRE_PREFIX + "clientSocketFactory"); if (className != null) { Object o; try { Class c = ClassPathLoader.getLatest().forName(className); o = c.newInstance(); } catch (Exception e) { // No cache exists yet, so this can't be logged. String s = "An unexpected exception occurred while instantiating a " + className + ": " + e; throw new IllegalArgumentException(s); } if (o instanceof ClientSocketFactory) { this.clientSocketFactory = (ClientSocketFactory) o; } else { String s = "Class \"" + className + "\" is not a ClientSocketFactory"; throw new IllegalArgumentException(s); } } } public void initializeTransportFilterClientSocketFactory(GatewaySender sender) { this.clientSocketFactory = new TransportFilterSocketFactory() .setGatewayTransportFilters(sender.getGatewayTransportFilters()); } /** * returns a set of the non-loopback InetAddresses for this machine */ public static Set<InetAddress> getMyAddresses() { Set<InetAddress> result = new HashSet<InetAddress>(); Set<InetAddress> locals = new HashSet<InetAddress>(); Enumeration<NetworkInterface> interfaces; try { interfaces = NetworkInterface.getNetworkInterfaces(); } catch (SocketException e) { throw new IllegalArgumentException( LocalizedStrings.StartupMessage_UNABLE_TO_EXAMINE_NETWORK_INTERFACES.toLocalizedString(), e); } while (interfaces.hasMoreElements()) { NetworkInterface face = interfaces.nextElement(); boolean faceIsUp = false; try { faceIsUp = face.isUp(); } catch (SocketException e) { InternalDistributedSystem ids = InternalDistributedSystem.getAnyInstance(); if (ids != null) { logger.info("Failed to check if network interface is up. Skipping {}", face, e); } } if (faceIsUp) { Enumeration<InetAddress> addrs = face.getInetAddresses(); while (addrs.hasMoreElements()) { InetAddress addr = addrs.nextElement(); if (addr.isLoopbackAddress() || addr.isAnyLocalAddress() || (!useLinkLocalAddresses && addr.isLinkLocalAddress())) { locals.add(addr); } else { result.add(addr); } } // while } } // while // fix for bug #42427 - allow product to run on a standalone box by using // local addresses if there are no non-local addresses available if (result.size() == 0) { return locals; } else { return result; } } /** * This method uses JNDI to look up an address in DNS and return its name * * @param addr * * @return the host name associated with the address or null if lookup isn't possible or there is * no host name for this address */ public static String reverseDNS(InetAddress addr) { byte[] addrBytes = addr.getAddress(); // reverse the address suitable for reverse lookup String lookup = ""; for (int index = addrBytes.length - 1; index >= 0; index--) { lookup = lookup + (addrBytes[index] & 0xff) + '.'; } lookup += "in-addr.arpa"; // System.out.println("Looking up: " + lookup); try { Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.dns.DnsContextFactory"); DirContext ctx = new InitialDirContext(env); Attributes attrs = ctx.getAttributes(lookup, new String[] { "PTR" }); for (NamingEnumeration ae = attrs.getAll(); ae.hasMoreElements();) { Attribute attr = (Attribute) ae.next(); for (Enumeration vals = attr.getAll(); vals.hasMoreElements();) { Object elem = vals.nextElement(); if ("PTR".equals(attr.getID()) && elem != null) { return elem.toString(); } } } ctx.close(); } catch (Exception e) { // ignored } return null; } /** * Returns true if host matches the LOCALHOST. */ public static boolean isLocalHost(Object host) { if (host instanceof InetAddress) { if (InetAddressUtil.LOCALHOST.equals(host)) { return true; } else if (((InetAddress) host).isLoopbackAddress()) { return true; } else { try { Enumeration en = NetworkInterface.getNetworkInterfaces(); while (en.hasMoreElements()) { NetworkInterface i = (NetworkInterface) en.nextElement(); for (Enumeration en2 = i.getInetAddresses(); en2.hasMoreElements();) { InetAddress addr = (InetAddress) en2.nextElement(); if (host.equals(addr)) { return true; } } } return false; } catch (SocketException e) { throw new IllegalArgumentException( LocalizedStrings.InetAddressUtil_UNABLE_TO_QUERY_NETWORK_INTERFACE.toLocalizedString(), e); } } } else { return isLocalHost(toInetAddress(host.toString())); } } /** * Converts the string host to an instance of InetAddress. Returns null if the string is empty. * Fails Assertion if the conversion would result in <code>java.lang.UnknownHostException</code>. * <p> * Any leading slashes on host will be ignored. * * @param host string version the InetAddress * * @return the host converted to InetAddress instance */ public static InetAddress toInetAddress(String host) { if (host == null || host.length() == 0) { return null; } try { if (host.indexOf("/") > -1) { return InetAddress.getByName(host.substring(host.indexOf("/") + 1)); } else { return InetAddress.getByName(host); } } catch (java.net.UnknownHostException e) { throw new IllegalArgumentException(e.getMessage()); } } }