197 lines
7.8 KiB
Java
197 lines
7.8 KiB
Java
/*
|
|
* Copyright 2017 The Netty Project
|
|
*
|
|
* The Netty Project licenses this file to you under the Apache License,
|
|
* version 2.0 (the "License"); you may not use this file except in compliance
|
|
* with the License. You may obtain a copy of the License at:
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
* License for the specific language governing permissions and limitations
|
|
* under the License.
|
|
*/
|
|
package io.netty.handler.ssl;
|
|
|
|
import static io.netty.handler.ssl.SslUtils.toSSLHandshakeException;
|
|
import static java.lang.Math.min;
|
|
import static java.util.Objects.requireNonNull;
|
|
|
|
import io.netty.buffer.ByteBuf;
|
|
import io.netty.buffer.ByteBufAllocator;
|
|
import io.netty.handler.ssl.JdkApplicationProtocolNegotiator.ProtocolSelectionListener;
|
|
import io.netty.handler.ssl.JdkApplicationProtocolNegotiator.ProtocolSelector;
|
|
import java.nio.ByteBuffer;
|
|
import java.util.Collections;
|
|
import java.util.LinkedHashSet;
|
|
import java.util.List;
|
|
import javax.net.ssl.SSLEngine;
|
|
import javax.net.ssl.SSLEngineResult;
|
|
import javax.net.ssl.SSLException;
|
|
|
|
import io.netty.util.internal.SystemPropertyUtil;
|
|
import org.conscrypt.AllocatedBuffer;
|
|
import org.conscrypt.BufferAllocator;
|
|
import org.conscrypt.Conscrypt;
|
|
import org.conscrypt.HandshakeListener;
|
|
|
|
/**
|
|
* A {@link JdkSslEngine} that uses the Conscrypt provider or SSL with ALPN.
|
|
*/
|
|
abstract class ConscryptAlpnSslEngine extends JdkSslEngine {
|
|
private static final boolean USE_BUFFER_ALLOCATOR = SystemPropertyUtil.getBoolean(
|
|
"io.netty.handler.ssl.conscrypt.useBufferAllocator", true);
|
|
|
|
static ConscryptAlpnSslEngine newClientEngine(SSLEngine engine, ByteBufAllocator alloc,
|
|
JdkApplicationProtocolNegotiator applicationNegotiator) {
|
|
return new ClientEngine(engine, alloc, applicationNegotiator);
|
|
}
|
|
|
|
static ConscryptAlpnSslEngine newServerEngine(SSLEngine engine, ByteBufAllocator alloc,
|
|
JdkApplicationProtocolNegotiator applicationNegotiator) {
|
|
return new ServerEngine(engine, alloc, applicationNegotiator);
|
|
}
|
|
|
|
private ConscryptAlpnSslEngine(SSLEngine engine, ByteBufAllocator alloc, List<String> protocols) {
|
|
super(engine);
|
|
|
|
// Configure the Conscrypt engine to use Netty's buffer allocator. This is a trade-off of memory vs
|
|
// performance.
|
|
//
|
|
// If no allocator is provided, the engine will internally allocate a direct buffer of max packet size in
|
|
// order to optimize JNI calls (this happens the first time it is provided a non-direct buffer from the
|
|
// application).
|
|
//
|
|
// Alternatively, if an allocator is provided, no internal buffer will be created and direct buffers will be
|
|
// retrieved from the allocator on-demand.
|
|
if (USE_BUFFER_ALLOCATOR) {
|
|
Conscrypt.setBufferAllocator(engine, new BufferAllocatorAdapter(alloc));
|
|
}
|
|
|
|
// Set the list of supported ALPN protocols on the engine.
|
|
Conscrypt.setApplicationProtocols(engine, protocols.toArray(new String[0]));
|
|
}
|
|
|
|
/**
|
|
* Calculates the maximum size of the encrypted output buffer required to wrap the given plaintext bytes. Assumes
|
|
* as a worst case that there is one TLS record per buffer.
|
|
*
|
|
* @param plaintextBytes the number of plaintext bytes to be wrapped.
|
|
* @param numBuffers the number of buffers that the plaintext bytes are spread across.
|
|
* @return the maximum size of the encrypted output buffer required for the wrap operation.
|
|
*/
|
|
final int calculateOutNetBufSize(int plaintextBytes, int numBuffers) {
|
|
// Assuming a max of one frame per component in a composite buffer.
|
|
long maxOverhead = (long) Conscrypt.maxSealOverhead(getWrappedEngine()) * numBuffers;
|
|
// TODO(nmittler): update this to use MAX_ENCRYPTED_PACKET_LENGTH instead of Integer.MAX_VALUE
|
|
return (int) min(Integer.MAX_VALUE, plaintextBytes + maxOverhead);
|
|
}
|
|
|
|
final SSLEngineResult unwrap(ByteBuffer[] srcs, ByteBuffer[] dests) throws SSLException {
|
|
return Conscrypt.unwrap(getWrappedEngine(), srcs, dests);
|
|
}
|
|
|
|
private static final class ClientEngine extends ConscryptAlpnSslEngine {
|
|
private final ProtocolSelectionListener protocolListener;
|
|
|
|
ClientEngine(SSLEngine engine, ByteBufAllocator alloc,
|
|
JdkApplicationProtocolNegotiator applicationNegotiator) {
|
|
super(engine, alloc, applicationNegotiator.protocols());
|
|
// Register for completion of the handshake.
|
|
Conscrypt.setHandshakeListener(engine, new HandshakeListener() {
|
|
@Override
|
|
public void onHandshakeFinished() throws SSLException {
|
|
selectProtocol();
|
|
}
|
|
});
|
|
|
|
protocolListener = requireNonNull(applicationNegotiator
|
|
.protocolListenerFactory().newListener(this, applicationNegotiator.protocols()),
|
|
"protocolListener");
|
|
}
|
|
|
|
private void selectProtocol() throws SSLException {
|
|
String protocol = Conscrypt.getApplicationProtocol(getWrappedEngine());
|
|
try {
|
|
protocolListener.selected(protocol);
|
|
} catch (Throwable e) {
|
|
throw toSSLHandshakeException(e);
|
|
}
|
|
}
|
|
}
|
|
|
|
private static final class ServerEngine extends ConscryptAlpnSslEngine {
|
|
private final ProtocolSelector protocolSelector;
|
|
|
|
ServerEngine(SSLEngine engine, ByteBufAllocator alloc,
|
|
JdkApplicationProtocolNegotiator applicationNegotiator) {
|
|
super(engine, alloc, applicationNegotiator.protocols());
|
|
|
|
// Register for completion of the handshake.
|
|
Conscrypt.setHandshakeListener(engine, new HandshakeListener() {
|
|
@Override
|
|
public void onHandshakeFinished() throws SSLException {
|
|
selectProtocol();
|
|
}
|
|
});
|
|
|
|
protocolSelector = requireNonNull(applicationNegotiator.protocolSelectorFactory()
|
|
.newSelector(this,
|
|
new LinkedHashSet<>(applicationNegotiator.protocols())),
|
|
"protocolSelector");
|
|
}
|
|
|
|
private void selectProtocol() throws SSLException {
|
|
try {
|
|
String protocol = Conscrypt.getApplicationProtocol(getWrappedEngine());
|
|
protocolSelector.select(protocol != null ? Collections.singletonList(protocol)
|
|
: Collections.emptyList());
|
|
} catch (Throwable e) {
|
|
throw toSSLHandshakeException(e);
|
|
}
|
|
}
|
|
}
|
|
|
|
private static final class BufferAllocatorAdapter extends BufferAllocator {
|
|
private final ByteBufAllocator alloc;
|
|
|
|
BufferAllocatorAdapter(ByteBufAllocator alloc) {
|
|
this.alloc = alloc;
|
|
}
|
|
|
|
@Override
|
|
public AllocatedBuffer allocateDirectBuffer(int capacity) {
|
|
return new BufferAdapter(alloc.directBuffer(capacity));
|
|
}
|
|
}
|
|
|
|
private static final class BufferAdapter extends AllocatedBuffer {
|
|
private final ByteBuf nettyBuffer;
|
|
private final ByteBuffer buffer;
|
|
|
|
BufferAdapter(ByteBuf nettyBuffer) {
|
|
this.nettyBuffer = nettyBuffer;
|
|
buffer = nettyBuffer.nioBuffer(0, nettyBuffer.capacity());
|
|
}
|
|
|
|
@Override
|
|
public ByteBuffer nioBuffer() {
|
|
return buffer;
|
|
}
|
|
|
|
@Override
|
|
public AllocatedBuffer retain() {
|
|
nettyBuffer.retain();
|
|
return this;
|
|
}
|
|
|
|
@Override
|
|
public AllocatedBuffer release() {
|
|
nettyBuffer.release();
|
|
return this;
|
|
}
|
|
}
|
|
}
|