use of org.apache.kafka.common.errors.SslAuthenticationException in project kafka by apache.
the class SslTransportLayer method handshakeFailure.
/**
* SSL exceptions are propagated as authentication failures so that clients can avoid
* retries and report the failure. If `flush` is true, exceptions are propagated after
* any pending outgoing bytes are flushed to ensure that the peer is notified of the failure.
*/
private void handshakeFailure(SSLException sslException, boolean flush) throws IOException {
// Release all resources such as internal buffers that SSLEngine is managing
log.debug("SSL Handshake failed", sslException);
sslEngine.closeOutbound();
try {
sslEngine.closeInbound();
} catch (SSLException e) {
log.debug("SSLEngine.closeInBound() raised an exception.", e);
}
state = State.HANDSHAKE_FAILED;
handshakeException = new SslAuthenticationException("SSL handshake failed", sslException);
// handle the handshake failure as an authentication exception.
if (!flush || handshakeWrapAfterFailure(flush))
throw handshakeException;
else
log.debug("Delay propagation of handshake exception till {} bytes remaining are flushed", netWriteBuffer.remaining());
}
use of org.apache.kafka.common.errors.SslAuthenticationException in project apache-kafka-on-k8s by banzaicloud.
the class SslTransportLayer method handshakeFailure.
/**
* SSL exceptions are propagated as authentication failures so that clients can avoid
* retries and report the failure. If `flush` is true, exceptions are propagated after
* any pending outgoing bytes are flushed to ensure that the peer is notified of the failure.
*/
private void handshakeFailure(SSLException sslException, boolean flush) throws IOException {
// Release all resources such as internal buffers that SSLEngine is managing
sslEngine.closeOutbound();
try {
sslEngine.closeInbound();
} catch (SSLException e) {
log.debug("SSLEngine.closeInBound() raised an exception.", e);
}
state = State.HANDSHAKE_FAILED;
handshakeException = new SslAuthenticationException("SSL handshake failed", sslException);
if (!flush || flush(netWriteBuffer))
throw handshakeException;
}
use of org.apache.kafka.common.errors.SslAuthenticationException in project kafka by apache.
the class SslTransportLayer method read.
/**
* Reads a sequence of bytes from this channel into the given buffer. Reads as much as possible
* until either the dst buffer is full or there is no more data in the socket.
*
* @param dst The buffer into which bytes are to be transferred
* @return The number of bytes read, possible zero or -1 if the channel has reached end-of-stream
* and no more data is available
* @throws IOException if some other I/O error occurs
*/
@Override
public int read(ByteBuffer dst) throws IOException {
if (state == State.CLOSING)
return -1;
else if (!ready())
return 0;
// if we have unread decrypted data in appReadBuffer read that into dst buffer.
int read = 0;
if (appReadBuffer.position() > 0) {
read = readFromAppBuffer(dst);
}
boolean readFromNetwork = false;
boolean isClosed = false;
// Each loop reads at most once from the socket.
while (dst.remaining() > 0) {
int netread = 0;
netReadBuffer = Utils.ensureCapacity(netReadBuffer, netReadBufferSize());
if (netReadBuffer.remaining() > 0) {
netread = readFromSocketChannel();
if (netread > 0)
readFromNetwork = true;
}
while (netReadBuffer.position() > 0) {
netReadBuffer.flip();
SSLEngineResult unwrapResult;
try {
unwrapResult = sslEngine.unwrap(netReadBuffer, appReadBuffer);
if (state == State.POST_HANDSHAKE && appReadBuffer.position() != 0) {
// For TLSv1.3, we have finished processing post-handshake messages since we are now processing data
state = State.READY;
}
} catch (SSLException e) {
// For TLSv1.3, handle SSL exceptions while processing post-handshake messages as authentication exceptions
if (state == State.POST_HANDSHAKE) {
state = State.HANDSHAKE_FAILED;
throw new SslAuthenticationException("Failed to process post-handshake messages", e);
} else
throw e;
}
netReadBuffer.compact();
// handle ssl renegotiation.
if (unwrapResult.getHandshakeStatus() != HandshakeStatus.NOT_HANDSHAKING && unwrapResult.getHandshakeStatus() != HandshakeStatus.FINISHED && unwrapResult.getStatus() == Status.OK) {
log.error("Renegotiation requested, but it is not supported, channelId {}, " + "appReadBuffer pos {}, netReadBuffer pos {}, netWriteBuffer pos {} handshakeStatus {}", channelId, appReadBuffer.position(), netReadBuffer.position(), netWriteBuffer.position(), unwrapResult.getHandshakeStatus());
throw renegotiationException();
}
if (unwrapResult.getStatus() == Status.OK) {
read += readFromAppBuffer(dst);
} else if (unwrapResult.getStatus() == Status.BUFFER_OVERFLOW) {
int currentApplicationBufferSize = applicationBufferSize();
appReadBuffer = Utils.ensureCapacity(appReadBuffer, currentApplicationBufferSize);
if (appReadBuffer.position() >= currentApplicationBufferSize) {
throw new IllegalStateException("Buffer overflow when available data size (" + appReadBuffer.position() + ") >= application buffer size (" + currentApplicationBufferSize + ")");
}
// we can break here.
if (dst.hasRemaining())
read += readFromAppBuffer(dst);
else
break;
} else if (unwrapResult.getStatus() == Status.BUFFER_UNDERFLOW) {
int currentNetReadBufferSize = netReadBufferSize();
netReadBuffer = Utils.ensureCapacity(netReadBuffer, currentNetReadBufferSize);
if (netReadBuffer.position() >= currentNetReadBufferSize) {
throw new IllegalStateException("Buffer underflow when available data size (" + netReadBuffer.position() + ") > packet buffer size (" + currentNetReadBufferSize + ")");
}
break;
} else if (unwrapResult.getStatus() == Status.CLOSED) {
// If data has been read and unwrapped, return the data. Close will be handled on the next poll.
if (appReadBuffer.position() == 0 && read == 0)
throw new EOFException();
else {
isClosed = true;
break;
}
}
}
if (read == 0 && netread < 0)
throw new EOFException("EOF during read");
if (netread <= 0 || isClosed)
break;
}
updateBytesBuffered(readFromNetwork || read > 0);
// on a subsequent poll.
return read;
}
Aggregations