/**
* Handles a specific <tt>IOException</tt> which was thrown during the execution of {@link
* #runInConnectThread(DTLSProtocol, TlsPeer, DatagramTransport)} while trying to establish a DTLS
* connection
*
* @param ioe the <tt>IOException</tt> to handle
* @param msg the human-readable message to log about the specified <tt>ioe</tt>
* @param i the number of tries remaining after the current one
* @return <tt>true</tt> if the specified <tt>ioe</tt> was successfully handled; <tt>false</tt>,
* otherwise
*/
private boolean handleRunInConnectThreadException(IOException ioe, String msg, int i) {
// SrtpControl.start(MediaType) starts its associated TransformEngine.
// We will use that mediaType to signal the normal stop then as well
// i.e. we will ignore exception after the procedure to stop this
// PacketTransformer has begun.
if (mediaType == null) return false;
if (ioe instanceof TlsFatalAlert) {
TlsFatalAlert tfa = (TlsFatalAlert) ioe;
short alertDescription = tfa.getAlertDescription();
if (alertDescription == AlertDescription.unexpected_message) {
msg += " Received fatal unexpected message.";
if (i == 0
|| !Thread.currentThread().equals(connectThread)
|| connector == null
|| mediaType == null) {
msg += " Giving up after " + (CONNECT_TRIES - i) + " retries.";
} else {
msg += " Will retry.";
logger.error(msg, ioe);
return true;
}
} else {
msg += " Received fatal alert " + alertDescription + ".";
}
}
logger.error(msg, ioe);
return false;
}
/** Create LockssKeystores from config subtree below {@link #PARAM_KEYSTORE} */
void configureKeyStores(Configuration config) {
Configuration allKs = config.getConfigTree(PARAM_KEYSTORE);
for (Iterator iter = allKs.nodeIterator(); iter.hasNext(); ) {
String id = (String) iter.next();
Configuration oneKs = allKs.getConfigTree(id);
try {
LockssKeyStore lk = createLockssKeyStore(oneKs);
String name = lk.getName();
if (name == null) {
log.error("KeyStore definition missing name: " + oneKs);
continue;
}
LockssKeyStore old = keystoreMap.get(name);
if (old != null && !lk.equals(old)) {
log.warning(
"Keystore "
+ name
+ " redefined. "
+ "New definition may not take effect until daemon restart");
}
log.debug("Adding keystore " + name);
keystoreMap.put(name, lk);
} catch (Exception e) {
log.error("Couldn't create keystore: " + oneKs, e);
}
}
}
/** Stops this <tt>PacketTransformer</tt>. */
private synchronized void stop() {
if (connectThread != null) connectThread = null;
try {
// The dtlsTransport and _srtpTransformer SHOULD be closed, of
// course. The datagramTransport MUST be closed.
if (dtlsTransport != null) {
try {
dtlsTransport.close();
} catch (IOException ioe) {
logger.error("Failed to (properly) close " + dtlsTransport.getClass(), ioe);
}
dtlsTransport = null;
}
if (_srtpTransformer != null) {
_srtpTransformer.close();
_srtpTransformer = null;
}
} finally {
try {
closeDatagramTransport();
} finally {
notifyAll();
}
}
}
void loadKeyStores() {
List<LockssKeyStore> lst = new ArrayList<LockssKeyStore>(keystoreMap.values());
for (LockssKeyStore lk : lst) {
try {
lk.load();
} catch (Exception e) {
log.error("Can't load keystore " + lk.getName(), e);
keystoreMap.remove(lk.getName());
}
}
}
static {
try {
File file = new File("/dev/urandom");
// This stream is deliberately leaked.
urandom = new FileInputStream(file);
if (urandom.read() == -1) throw new RuntimeException("/dev/urandom not readable?");
// Now override the default SecureRandom implementation with this one.
int position = Security.insertProviderAt(new LinuxSecureRandomProvider(), 1);
if (position != -1) log.info("Secure randomness will be read from {} only.", file);
else log.info("Randomness is already secure.");
} catch (FileNotFoundException e) {
// Should never happen.
log.error("/dev/urandom does not appear to exist or is not openable");
throw new RuntimeException(e);
} catch (IOException e) {
log.error("/dev/urandom does not appear to be readable");
throw new RuntimeException(e);
}
}
/**
* Computes and returns the hash of the specified <tt>capsString</tt> using the specified
* <tt>hashAlgorithm</tt>.
*
* @param hashAlgorithm the name of the algorithm to be used to generate the hash
* @param capsString the capabilities string that we'd like to compute a hash for.
* @return the hash of <tt>capsString</tt> computed by the specified <tt>hashAlgorithm</tt> or
* <tt>null</tt> if generating the hash has failed
*/
private static String capsToHash(String hashAlgorithm, String capsString) {
try {
MessageDigest md = MessageDigest.getInstance(hashAlgorithm);
byte[] digest = md.digest(capsString.getBytes());
return Base64.encodeBytes(digest);
} catch (NoSuchAlgorithmException nsae) {
logger.error("Unsupported XEP-0115: Entity Capabilities hash algorithm: " + hashAlgorithm);
return null;
}
}
/**
* Closes {@link #datagramTransport} if it is non-<tt>null</tt> and logs and swallows any
* <tt>IOException</tt>.
*/
private void closeDatagramTransport() {
if (datagramTransport != null) {
try {
datagramTransport.close();
} catch (IOException ioe) {
// DatagramTransportImpl has no reason to fail because it is
// merely an adapter of #connector and this PacketTransformer to
// the terms of the Bouncy Castle Crypto API.
logger.error("Failed to (properly) close " + datagramTransport.getClass(), ioe);
}
datagramTransport = null;
}
}
public static void load(Collection<FileDesc> files, Path root, int blocSize, Pattern pattern)
throws IOException {
root = root.toAbsolutePath().normalize();
Visitor visitor = new Visitor(root, blocSize, pattern);
Files.walkFileTree(root, visitor);
for (Future<FileDesc> future : visitor.futures()) {
try {
files.add(future.get());
} catch (Exception e) {
log.error("", e);
}
}
}
/**
* Sends the data contained in a specific byte array as application data through the DTLS
* connection of this <tt>DtlsPacketTransformer</tt>.
*
* @param buf the byte array containing data to send.
* @param off the offset in <tt>buf</tt> where the data begins.
* @param len the length of data to send.
*/
public void sendApplicationData(byte[] buf, int off, int len) {
DTLSTransport dtlsTransport = this.dtlsTransport;
Throwable throwable = null;
if (dtlsTransport != null) {
try {
dtlsTransport.send(buf, off, len);
} catch (IOException ioe) {
throwable = ioe;
}
} else {
throwable = new NullPointerException("dtlsTransport");
}
if (throwable != null) {
// SrtpControl.start(MediaType) starts its associated
// TransformEngine. We will use that mediaType to signal the normal
// stop then as well i.e. we will ignore exception after the
// procedure to stop this PacketTransformer has begun.
if (mediaType != null && !tlsPeerHasRaisedCloseNotifyWarning) {
logger.error("Failed to send application data over DTLS transport: ", throwable);
}
}
}
/** {@inheritDoc} */
@Override
public RawPacket reverseTransform(RawPacket pkt) {
byte[] buf = pkt.getBuffer();
int off = pkt.getOffset();
int len = pkt.getLength();
if (isDtlsRecord(buf, off, len)) {
if (rtcpmux && Component.RTCP == componentID) {
// This should never happen.
logger.warn(
"Dropping a DTLS record, because it was received on the"
+ " RTCP channel while rtcpmux is in use.");
return null;
}
boolean receive;
synchronized (this) {
if (datagramTransport == null) {
receive = false;
} else {
datagramTransport.queueReceive(buf, off, len);
receive = true;
}
}
if (receive) {
DTLSTransport dtlsTransport = this.dtlsTransport;
if (dtlsTransport == null) {
// The specified pkt looks like a DTLS record and it has
// been consumed for the purposes of the secure channel
// represented by this PacketTransformer.
pkt = null;
} else {
try {
int receiveLimit = dtlsTransport.getReceiveLimit();
int delta = receiveLimit - len;
if (delta > 0) {
pkt.grow(delta);
buf = pkt.getBuffer();
off = pkt.getOffset();
len = pkt.getLength();
} else if (delta < 0) {
pkt.shrink(-delta);
buf = pkt.getBuffer();
off = pkt.getOffset();
len = pkt.getLength();
}
int received = dtlsTransport.receive(buf, off, len, DTLS_TRANSPORT_RECEIVE_WAITMILLIS);
if (received <= 0) {
// No application data was decoded.
pkt = null;
} else {
delta = len - received;
if (delta > 0) pkt.shrink(delta);
}
} catch (IOException ioe) {
pkt = null;
// SrtpControl.start(MediaType) starts its associated
// TransformEngine. We will use that mediaType to signal
// the normal stop then as well i.e. we will ignore
// exception after the procedure to stop this
// PacketTransformer has begun.
if (mediaType != null && !tlsPeerHasRaisedCloseNotifyWarning) {
logger.error("Failed to decode a DTLS record!", ioe);
}
}
}
} else {
// The specified pkt looks like a DTLS record but it is
// unexpected in the current state of the secure channel
// represented by this PacketTransformer. This PacketTransformer
// has not been started (successfully) or has been closed.
pkt = null;
}
} else if (transformEngine.isSrtpDisabled()) {
// In pure DTLS mode only DTLS records pass through.
pkt = null;
} else {
// DTLS-SRTP has not been initialized yet or has failed to
// initialize.
SinglePacketTransformer srtpTransformer = waitInitializeAndGetSRTPTransformer();
if (srtpTransformer != null) pkt = srtpTransformer.reverseTransform(pkt);
else if (DROP_UNENCRYPTED_PKTS) pkt = null;
// XXX Else, it is our explicit policy to let the received packet
// pass through and rely on the SrtpListener to notify the user that
// the session is not secured.
}
return pkt;
}
/**
* Retrieve DiscoverInfo for a specific node.
*
* @param caps the <tt>Caps</tt> i.e. the node, the hash and the ver
* @return The corresponding DiscoverInfo or null if none is known.
*/
public static DiscoverInfo getDiscoverInfoByCaps(Caps caps) {
synchronized (caps2discoverInfo) {
DiscoverInfo discoverInfo = caps2discoverInfo.get(caps);
/*
* If we don't have the discoverInfo in the runtime cache yet, we
* may have it remembered in a previous application instance.
*/
if (discoverInfo == null) {
ConfigurationService configurationService = getConfigService();
String capsPropertyName = getCapsPropertyName(caps);
String xml = configurationService.getString(capsPropertyName);
if ((xml != null) && (xml.length() != 0)) {
IQProvider discoverInfoProvider =
(IQProvider)
ProviderManager.getInstance()
.getIQProvider("query", "http://jabber.org/protocol/disco#info");
if (discoverInfoProvider != null) {
XmlPullParser parser = new MXParser();
try {
parser.setFeature(XmlPullParser.FEATURE_PROCESS_NAMESPACES, true);
parser.setInput(new StringReader(xml));
// Start the parser.
parser.next();
} catch (XmlPullParserException xppex) {
parser = null;
} catch (IOException ioex) {
parser = null;
}
if (parser != null) {
try {
discoverInfo = (DiscoverInfo) discoverInfoProvider.parseIQ(parser);
} catch (Exception ex) {
}
if (discoverInfo != null) {
if (caps.isValid(discoverInfo)) caps2discoverInfo.put(caps, discoverInfo);
else {
logger.error(
"Invalid DiscoverInfo for " + caps.getNodeVer() + ": " + discoverInfo);
/*
* The discoverInfo doesn't seem valid
* according to the caps which means that we
* must have stored invalid information.
* Delete the invalid information in order
* to not try to validate it again.
*/
configurationService.removeProperty(capsPropertyName);
}
}
}
}
}
}
return discoverInfo;
}
}