Search in sources :

Example 1 with SslAuthenticationException

use of org.apache.kafka.common.errors.SslAuthenticationException in project kafka by apache.

the class SslTransportLayer method handshakeFailure.

/**
 * SSL exceptions are propagated as authentication failures so that clients can avoid
 * retries and report the failure. If `flush` is true, exceptions are propagated after
 * any pending outgoing bytes are flushed to ensure that the peer is notified of the failure.
 */
private void handshakeFailure(SSLException sslException, boolean flush) throws IOException {
    // Release all resources such as internal buffers that SSLEngine is managing
    log.debug("SSL Handshake failed", sslException);
    sslEngine.closeOutbound();
    try {
        sslEngine.closeInbound();
    } catch (SSLException e) {
        log.debug("SSLEngine.closeInBound() raised an exception.", e);
    }
    state = State.HANDSHAKE_FAILED;
    handshakeException = new SslAuthenticationException("SSL handshake failed", sslException);
    // handle the handshake failure as an authentication exception.
    if (!flush || handshakeWrapAfterFailure(flush))
        throw handshakeException;
    else
        log.debug("Delay propagation of handshake exception till {} bytes remaining are flushed", netWriteBuffer.remaining());
}
Also used : SslAuthenticationException(org.apache.kafka.common.errors.SslAuthenticationException) SSLException(javax.net.ssl.SSLException)

Example 2 with SslAuthenticationException

use of org.apache.kafka.common.errors.SslAuthenticationException in project apache-kafka-on-k8s by banzaicloud.

the class SslTransportLayer method handshakeFailure.

/**
 * SSL exceptions are propagated as authentication failures so that clients can avoid
 * retries and report the failure. If `flush` is true, exceptions are propagated after
 * any pending outgoing bytes are flushed to ensure that the peer is notified of the failure.
 */
private void handshakeFailure(SSLException sslException, boolean flush) throws IOException {
    // Release all resources such as internal buffers that SSLEngine is managing
    sslEngine.closeOutbound();
    try {
        sslEngine.closeInbound();
    } catch (SSLException e) {
        log.debug("SSLEngine.closeInBound() raised an exception.", e);
    }
    state = State.HANDSHAKE_FAILED;
    handshakeException = new SslAuthenticationException("SSL handshake failed", sslException);
    if (!flush || flush(netWriteBuffer))
        throw handshakeException;
}
Also used : SslAuthenticationException(org.apache.kafka.common.errors.SslAuthenticationException) SSLException(javax.net.ssl.SSLException)

Example 3 with SslAuthenticationException

use of org.apache.kafka.common.errors.SslAuthenticationException in project kafka by apache.

the class SslTransportLayer method read.

/**
 * Reads a sequence of bytes from this channel into the given buffer. Reads as much as possible
 * until either the dst buffer is full or there is no more data in the socket.
 *
 * @param dst The buffer into which bytes are to be transferred
 * @return The number of bytes read, possible zero or -1 if the channel has reached end-of-stream
 *         and no more data is available
 * @throws IOException if some other I/O error occurs
 */
@Override
public int read(ByteBuffer dst) throws IOException {
    if (state == State.CLOSING)
        return -1;
    else if (!ready())
        return 0;
    // if we have unread decrypted data in appReadBuffer read that into dst buffer.
    int read = 0;
    if (appReadBuffer.position() > 0) {
        read = readFromAppBuffer(dst);
    }
    boolean readFromNetwork = false;
    boolean isClosed = false;
    // Each loop reads at most once from the socket.
    while (dst.remaining() > 0) {
        int netread = 0;
        netReadBuffer = Utils.ensureCapacity(netReadBuffer, netReadBufferSize());
        if (netReadBuffer.remaining() > 0) {
            netread = readFromSocketChannel();
            if (netread > 0)
                readFromNetwork = true;
        }
        while (netReadBuffer.position() > 0) {
            netReadBuffer.flip();
            SSLEngineResult unwrapResult;
            try {
                unwrapResult = sslEngine.unwrap(netReadBuffer, appReadBuffer);
                if (state == State.POST_HANDSHAKE && appReadBuffer.position() != 0) {
                    // For TLSv1.3, we have finished processing post-handshake messages since we are now processing data
                    state = State.READY;
                }
            } catch (SSLException e) {
                // For TLSv1.3, handle SSL exceptions while processing post-handshake messages as authentication exceptions
                if (state == State.POST_HANDSHAKE) {
                    state = State.HANDSHAKE_FAILED;
                    throw new SslAuthenticationException("Failed to process post-handshake messages", e);
                } else
                    throw e;
            }
            netReadBuffer.compact();
            // handle ssl renegotiation.
            if (unwrapResult.getHandshakeStatus() != HandshakeStatus.NOT_HANDSHAKING && unwrapResult.getHandshakeStatus() != HandshakeStatus.FINISHED && unwrapResult.getStatus() == Status.OK) {
                log.error("Renegotiation requested, but it is not supported, channelId {}, " + "appReadBuffer pos {}, netReadBuffer pos {}, netWriteBuffer pos {} handshakeStatus {}", channelId, appReadBuffer.position(), netReadBuffer.position(), netWriteBuffer.position(), unwrapResult.getHandshakeStatus());
                throw renegotiationException();
            }
            if (unwrapResult.getStatus() == Status.OK) {
                read += readFromAppBuffer(dst);
            } else if (unwrapResult.getStatus() == Status.BUFFER_OVERFLOW) {
                int currentApplicationBufferSize = applicationBufferSize();
                appReadBuffer = Utils.ensureCapacity(appReadBuffer, currentApplicationBufferSize);
                if (appReadBuffer.position() >= currentApplicationBufferSize) {
                    throw new IllegalStateException("Buffer overflow when available data size (" + appReadBuffer.position() + ") >= application buffer size (" + currentApplicationBufferSize + ")");
                }
                // we can break here.
                if (dst.hasRemaining())
                    read += readFromAppBuffer(dst);
                else
                    break;
            } else if (unwrapResult.getStatus() == Status.BUFFER_UNDERFLOW) {
                int currentNetReadBufferSize = netReadBufferSize();
                netReadBuffer = Utils.ensureCapacity(netReadBuffer, currentNetReadBufferSize);
                if (netReadBuffer.position() >= currentNetReadBufferSize) {
                    throw new IllegalStateException("Buffer underflow when available data size (" + netReadBuffer.position() + ") > packet buffer size (" + currentNetReadBufferSize + ")");
                }
                break;
            } else if (unwrapResult.getStatus() == Status.CLOSED) {
                // If data has been read and unwrapped, return the data. Close will be handled on the next poll.
                if (appReadBuffer.position() == 0 && read == 0)
                    throw new EOFException();
                else {
                    isClosed = true;
                    break;
                }
            }
        }
        if (read == 0 && netread < 0)
            throw new EOFException("EOF during read");
        if (netread <= 0 || isClosed)
            break;
    }
    updateBytesBuffered(readFromNetwork || read > 0);
    // on a subsequent poll.
    return read;
}
Also used : SSLEngineResult(javax.net.ssl.SSLEngineResult) EOFException(java.io.EOFException) SslAuthenticationException(org.apache.kafka.common.errors.SslAuthenticationException) SSLException(javax.net.ssl.SSLException)

Aggregations

SSLException (javax.net.ssl.SSLException)3 SslAuthenticationException (org.apache.kafka.common.errors.SslAuthenticationException)3 EOFException (java.io.EOFException)1 SSLEngineResult (javax.net.ssl.SSLEngineResult)1