Merge branch 'main' of gitlab.cryptoworkshop.com:root/bc-java

Author: dghgit

pg/src/main/java/org/bouncycastle/apache/bzip2/CBZip2InputStream.java

@@ -140,6 +140,11 @@ public CBZip2InputStream(InputStream zStream)
         beginBlock();
     }
 
+    public void close() throws IOException
+    {
+        implClose(true);
+    }
+
     public int read()
         throws IOException
     {
@@ -186,7 +191,7 @@ private void beginBlock()
                 throw new IOException("Stream CRC error");
             }
 
-            bsFinishedWithStream();
+            // TODO If not a LeaveOpen stream, should we check that we are at the end of stream here?
             streamEnd = true;
             return;
         }
@@ -250,22 +255,16 @@ private void endBlock()
         streamCRC = Integers.rotateLeft(streamCRC, 1) ^ blockFinalCRC;
     }
 
-    private void bsFinishedWithStream()
+    private void implClose(boolean closeInput) throws IOException
     {
-        try
+        if (this.bsStream != null)
         {
-            if (this.bsStream != null)
+            if (closeInput)
             {
-                if (this.bsStream != System.in)
-                {
-                    this.bsStream.close();
-                    this.bsStream = null;
-                }
+                this.bsStream.close();
             }
-        }
-        catch (IOException ioe)
-        {
-            //ignore
+
+            this.bsStream = null;
         }
     }
 

tls/src/main/java/org/bouncycastle/jsse/BCExtendedSSLSession.java

@@ -3,10 +3,23 @@
 import java.util.Collections;
 import java.util.List;
 
+import javax.crypto.SecretKey;
+import javax.net.ssl.SSLKeyException;
 import javax.net.ssl.SSLSession;
 
 public abstract class BCExtendedSSLSession implements SSLSession
 {
+    public byte[] exportKeyingMaterialData(String label, byte[] context, int length) throws SSLKeyException
+    {
+        throw new UnsupportedOperationException();
+    }
+
+    public SecretKey exportKeyingMaterialKey(String keyAlg, String label, byte[] context, int length)
+        throws SSLKeyException
+    {
+        throw new UnsupportedOperationException();
+    }
+
     public abstract String[] getLocalSupportedSignatureAlgorithms();
 
     public String[] getLocalSupportedSignatureAlgorithmsBC()

tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSession.java

@@ -2,6 +2,7 @@
 
 import java.util.List;
 import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.atomic.AtomicLong;
 
 import org.bouncycastle.jsse.BCSNIServerName;
 import org.bouncycastle.tls.CipherSuite;
@@ -15,15 +16,28 @@ class ProvSSLSession
     protected final TlsSession tlsSession;
     protected final SessionParameters sessionParameters;
     protected final JsseSessionParameters jsseSessionParameters;
+    protected final AtomicLong lastAccessedTime;
 
     ProvSSLSession(ProvSSLSessionContext sslSessionContext, ConcurrentHashMap<String, Object> valueMap, String peerHost,
-        int peerPort, TlsSession tlsSession, JsseSessionParameters jsseSessionParameters)
+        int peerPort, long creationTime, TlsSession tlsSession, JsseSessionParameters jsseSessionParameters)
     {
-        super(sslSessionContext, valueMap, peerHost, peerPort);
+        super(sslSessionContext, valueMap, peerHost, peerPort, creationTime);
 
         this.tlsSession = tlsSession;
         this.sessionParameters = tlsSession == null ? null : tlsSession.exportSessionParameters();
         this.jsseSessionParameters = jsseSessionParameters;
+        this.lastAccessedTime = new AtomicLong(creationTime);
+    }
+
+    long access()
+    {
+        long accessTime = getCurrentTime(), previous;
+        do
+        {
+            previous = lastAccessedTime.get();
+        }
+        while (accessTime > previous && !lastAccessedTime.compareAndSet(previous, accessTime));
+        return accessTime;
     }
 
     @Override
@@ -50,6 +64,11 @@ protected JsseSessionParameters getJsseSessionParameters()
         return jsseSessionParameters;
     }
 
+    public long getLastAccessedTime()
+    {
+        return lastAccessedTime.get();
+    }
+
     @Override
     protected org.bouncycastle.tls.Certificate getLocalCertificateTLS()
     {
@@ -110,6 +129,7 @@ public boolean isValid()
     static final ProvSSLSession createDummySession()
     {
         // NB: Allow session value binding on failed connections for SunJSSE compatibility 
-        return new ProvSSLSession(null, createValueMap(), null, -1, null, new JsseSessionParameters(null, null));
+        return new ProvSSLSession(null, createValueMap(), null, -1, getCurrentTime(), null,
+            new JsseSessionParameters(null, null));
     }
 }

tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionBase.java

@@ -4,7 +4,6 @@
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.atomic.AtomicLong;
 import java.util.concurrent.atomic.AtomicReference;
 
 import javax.net.ssl.SSLPeerUnverifiedException;
@@ -33,20 +32,18 @@ abstract class ProvSSLSessionBase
     protected final int peerPort;
     protected final long creationTime;
     protected final SSLSession exportSSLSession;
-    protected final AtomicLong lastAccessedTime;
 
     ProvSSLSessionBase(ProvSSLSessionContext sslSessionContext, ConcurrentHashMap<String, Object> valueMap,
-        String peerHost, int peerPort)
+        String peerHost, int peerPort, long creationTime)
     {
         this.sslSessionContext = new AtomicReference<ProvSSLSessionContext>(sslSessionContext);
         this.valueMap = valueMap;
         this.fipsMode = (null == sslSessionContext) ? false : sslSessionContext.getContextData().isFipsMode();
         this.crypto = (null == sslSessionContext) ? null : sslSessionContext.getContextData().getCrypto();
         this.peerHost = peerHost;
         this.peerPort = peerPort;
-        this.creationTime = System.currentTimeMillis();
+        this.creationTime = creationTime;
         this.exportSSLSession = SSLSessionUtil.exportSSLSession(this);
-        this.lastAccessedTime = new AtomicLong(creationTime);
     }
 
     protected abstract int getCipherSuiteTLS();
@@ -70,15 +67,6 @@ SSLSession getExportSSLSession()
         return exportSSLSession;
     }
 
-    void accessedAt(long accessTime)
-    {
-        long current = lastAccessedTime.get();
-        if (accessTime > current)
-        {
-            lastAccessedTime.compareAndSet(current, accessTime);
-        }
-    }
-
     @Override
     public boolean equals(Object obj)
     {
@@ -117,11 +105,6 @@ public byte[] getId()
         return TlsUtils.isNullOrEmpty(id) ? TlsUtils.EMPTY_BYTES : id.clone();
     }
 
-    public long getLastAccessedTime()
-    {
-        return lastAccessedTime.get();
-    }
-
     public Certificate[] getLocalCertificates()
     {
         if (null != crypto)
@@ -362,4 +345,9 @@ protected static ConcurrentHashMap<String, Object> createValueMap()
     {
         return new ConcurrentHashMap<String, Object>();
     }
+
+    protected static long getCurrentTime()
+    {
+        return System.currentTimeMillis();
+    }
 }

tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionContext.java

@@ -63,15 +63,15 @@ synchronized ProvSSLSession getSessionImpl(byte[] sessionID)
     {
         processQueue();
 
-        return accessSession(mapGet(sessionsByID, makeSessionID(sessionID)));
+        return getSessionImpl(mapGet(sessionsByID, makeSessionID(sessionID)));
     }
 
     synchronized ProvSSLSession getSessionImpl(String hostName, int port)
     {
         processQueue();
 
         SessionEntry sessionEntry = mapGet(sessionsByPeer, makePeerKey(hostName, port));
-        ProvSSLSession session = accessSession(sessionEntry);
+        ProvSSLSession session = getSessionImpl(sessionEntry);
         if (session != null)
         {
             // NOTE: For the current simple cache implementation, need to 'access' the sessionByIDs entry
@@ -96,8 +96,8 @@ synchronized ProvSSLSession reportSession(ProvSSLSessionHandshake handshakeSessi
 
         if (!addToCache)
         {
-            return new ProvSSLSession(this, handshakeSession.getValueMap(), peerHost, peerPort, tlsSession,
-                jsseSessionParameters);
+            return new ProvSSLSession(this, handshakeSession.getValueMap(), peerHost, peerPort,
+                handshakeSession.getCreationTime(), tlsSession, jsseSessionParameters);
         }
 
         SessionID sessionID = makeSessionID(tlsSession.getSessionID());
@@ -106,8 +106,8 @@ synchronized ProvSSLSession reportSession(ProvSSLSessionHandshake handshakeSessi
         ProvSSLSession session = sessionEntry == null ? null : sessionEntry.get();
         if (null == session || session.getTlsSession() != tlsSession)
         {
-            session = new ProvSSLSession(this, handshakeSession.getValueMap(), peerHost, peerPort, tlsSession,
-                jsseSessionParameters);
+            session = new ProvSSLSession(this, handshakeSession.getValueMap(), peerHost, peerPort,
+                handshakeSession.getCreationTime(), tlsSession, jsseSessionParameters);
 
             if (null != sessionID)
             {
@@ -207,17 +207,15 @@ public synchronized void setSessionTimeout(int seconds) throws IllegalArgumentEx
         removeAllExpiredSessions();
     }
 
-    private ProvSSLSession accessSession(SessionEntry sessionEntry)
+    private ProvSSLSession getSessionImpl(SessionEntry sessionEntry)
     {
         if (sessionEntry != null)
         {
             ProvSSLSession session = sessionEntry.get();
             if (session != null)
             {
-                long currentTimeMillis = System.currentTimeMillis();
-                if (!invalidateIfCreatedBefore(sessionEntry, getCreationTimeLimit(currentTimeMillis)))
+                if (!invalidateIfCreatedBefore(sessionEntry, getCreationTimeLimit()))
                 {
-                    session.accessedAt(currentTimeMillis);
                     return session;
                 }
             }
@@ -227,9 +225,9 @@ private ProvSSLSession accessSession(SessionEntry sessionEntry)
         return null;
     }
 
-    private long getCreationTimeLimit(long expiryTimeMillis)
+    private long getCreationTimeLimit()
     {
-        return sessionTimeoutSeconds < 1 ? Long.MIN_VALUE : (expiryTimeMillis - 1000L * sessionTimeoutSeconds);
+        return sessionTimeoutSeconds < 1 ? Long.MIN_VALUE : (System.currentTimeMillis() - 1000L * sessionTimeoutSeconds);
     }
 
     private boolean invalidateIfCreatedBefore(SessionEntry sessionEntry, long creationTimeLimit)
@@ -267,7 +265,7 @@ private void removeAllExpiredSessions()
     {
         processQueue();
 
-        long creationTimeLimit = getCreationTimeLimit(System.currentTimeMillis());
+        long creationTimeLimit = getCreationTimeLimit();
 
         Iterator<SessionEntry> iter = sessionsByID.values().iterator();
         while (iter.hasNext())

tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionHandshake.java

@@ -20,14 +20,15 @@ class ProvSSLSessionHandshake
     ProvSSLSessionHandshake(ProvSSLSessionContext sslSessionContext, String peerHost, int peerPort,
         SecurityParameters securityParameters, JsseSecurityParameters jsseSecurityParameters)
     {
-        this(sslSessionContext, createValueMap(), peerHost, peerPort, securityParameters, jsseSecurityParameters);
+        this(sslSessionContext, createValueMap(), peerHost, peerPort, getCurrentTime(), securityParameters,
+            jsseSecurityParameters);
     }
 
     protected ProvSSLSessionHandshake(ProvSSLSessionContext sslSessionContext,
-        ConcurrentHashMap<String, Object> valueMap, String peerHost, int peerPort,
+        ConcurrentHashMap<String, Object> valueMap, String peerHost, int peerPort, long creationTime,
         SecurityParameters securityParameters, JsseSecurityParameters jsseSecurityParameters)
     {
-        super(sslSessionContext, valueMap, peerHost, peerPort);
+        super(sslSessionContext, valueMap, peerHost, peerPort, creationTime);
 
         this.securityParameters = securityParameters;
         this.jsseSecurityParameters = jsseSecurityParameters;
@@ -62,6 +63,11 @@ protected JsseSessionParameters getJsseSessionParameters()
         return null;
     }
 
+    public long getLastAccessedTime()
+    {
+        return getCreationTime();
+    }
+
     @Override
     protected org.bouncycastle.tls.Certificate getLocalCertificateTLS()
     {

tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionResumed.java

@@ -11,17 +11,19 @@ class ProvSSLSessionResumed
     protected final TlsSession tlsSession;
     protected final SessionParameters sessionParameters;
     protected final JsseSessionParameters jsseSessionParameters;
+    protected final long lastAccessedTime;
 
     ProvSSLSessionResumed(ProvSSLSessionContext sslSessionContext, String peerHost, int peerPort,
         SecurityParameters securityParameters, JsseSecurityParameters jsseSecurityParameters,
         ProvSSLSession resumedSession)
     {
-        super(sslSessionContext, resumedSession.getValueMap(), peerHost, peerPort, securityParameters,
-            jsseSecurityParameters);
+        super(sslSessionContext, resumedSession.getValueMap(), peerHost, peerPort, resumedSession.getCreationTime(),
+            securityParameters, jsseSecurityParameters);
 
         this.tlsSession = resumedSession.getTlsSession();
         this.sessionParameters = tlsSession.exportSessionParameters();
         this.jsseSessionParameters = resumedSession.getJsseSessionParameters();
+        this.lastAccessedTime = resumedSession.access();
     }
 
     @Override
@@ -36,6 +38,11 @@ protected byte[] getIDArray()
         return tlsSession.getSessionID();
     }
 
+    public long getLastAccessedTime()
+    {
+        return lastAccessedTime;
+    }
+
     @Override
     protected JsseSessionParameters getJsseSessionParameters()
     {

tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsServer.java

@@ -340,12 +340,10 @@ protected boolean selectCipherSuite(int cipherSuite) throws IOException
             }
         }
 
-        boolean result = super.selectCipherSuite(cipherSuite);
-        if (result)
-        {
-            this.credentials = cipherSuiteCredentials;
-        }
-        return result;
+        this.selectedCipherSuite = cipherSuite;
+        this.credentials = cipherSuiteCredentials;
+
+        return true;
     }
 
     @Override