Inheritance diagram for ChannelIOSecure:

Collaboration diagram for ChannelIOSecure:

Protected Member Functions
	ChannelIOSecure (SocketChannel sc, boolean blocking, SSLContext sslc) throws IOException

void	resizeRequestBB ()

Protected Member Functions inherited from ChannelIO
	ChannelIO (SocketChannel sc, boolean blocking) throws IOException

void	resizeRequestBB (int remaining)

Package Functions
boolean	dataFlush () throws IOException

boolean	doHandshake () throws IOException

boolean	doHandshake (SelectionKey sk) throws IOException

int	read () throws IOException

boolean	shutdown () throws IOException

long	transferTo (FileChannel fc, long pos, long len) throws IOException

int	write (ByteBuffer src) throws IOException

Package Functions inherited from ChannelIO
void	close () throws IOException

ByteBuffer	getReadBuf ()

SocketChannel	getSocketChannel ()

Static Package Functions
static ChannelIOSecure	getInstance (SocketChannel sc, boolean blocking, SSLContext sslc) throws IOException

Static Package Functions inherited from ChannelIO
static ChannelIO	getInstance (SocketChannel sc, boolean blocking) throws IOException

Private Member Functions
SSLEngineResult.HandshakeStatus	doTasks ()

int	doWrite (ByteBuffer src) throws IOException

void	resizeResponseBB ()

boolean	tryFlush (ByteBuffer bb) throws IOException

Private Attributes
int	appBBSize

ByteBuffer	fileChannelBB = null

boolean	initialHSComplete

HandshakeStatus	initialHSStatus

ByteBuffer	inNetBB

int	netBBSize

ByteBuffer	outNetBB

boolean	shutdown = false

SSLEngine	sslEngine = null

Static Private Attributes
static ByteBuffer	hsBB = ByteBuffer.allocate(0)

Additional Inherited Members
Protected Attributes inherited from ChannelIO
ByteBuffer	requestBB

SocketChannel	sc

Detailed Description

A helper class which performs I/O using the SSLEngine API.

Each connection has a SocketChannel and a SSLEngine that is used through the lifetime of the Channel. We allocate byte buffers for use as the outbound and inbound network buffers.

              Application Data
              src      requestBB
               |           ^
               |     |     |
               v     |     |
          +----+-----|-----+----+
          |          |          |
          |       SSL|Engine    |
  wrap()  |          |          |  unwrap()
          | OUTBOUND | INBOUND  |
          |          |          |
          +----+-----|-----+----+
               |     |     ^
               |     |     |
               v           |
           outNetBB     inNetBB
                  Net data

These buffers handle all of the intermediary data for the SSL connection. To make things easy, we'll require outNetBB be completely flushed before trying to wrap any more data, but we could certainly remove that restriction by using larger buffers.

There are many, many ways to handle compute and I/O strategies. What follows is a relatively simple one. The reader is encouraged to develop the strategy that best fits the application.

In most of the non-blocking operations in this class, we let the Selector tell us when we're ready to attempt an I/O operation (by the application repeatedly calling our methods). Another option would be to attempt the operation and return from the method when no forward progress can be made.

There's lots of room for enhancements and improvement in this example.

We're checking for SSL/TLS end-of-stream truncation attacks via sslEngine.closeInbound(). When you reach the end of a input stream via a read() returning -1 or an IOException, we call sslEngine.closeInbound() to signal to the sslEngine that no more input will be available. If the peer's close_notify message has not yet been received, this could indicate a trucation attack, in which an attacker is trying to prematurely close the connection. The closeInbound() will throw an exception if this condition were present.