package tlschannel;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.channels.ByteChannel;
import java.nio.channels.Channel;
import java.nio.channels.ClosedChannelException;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import java.util.function.Consumer;
import java.util.function.Function;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.StandardConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import tlschannel.impl.BufferHolder;
import tlschannel.impl.ByteBufferSet;
import tlschannel.impl.TlsChannelImpl;
import tlschannel.impl.TlsChannelImpl.EofException;
import tlschannel.impl.TlsExplorer;
/** A server-side {@link TlsChannel}. */
public class ServerTlsChannel implements TlsChannel {
private static final Logger logger = LoggerFactory.getLogger(ServerTlsChannel.class);
private interface SslContextStrategy {
@FunctionalInterface
interface SniReader {
Optional<SNIServerName> readSni() throws IOException, EofException;
}
SSLContext getSslContext(SniReader sniReader) throws IOException, EofException;
}
private static class SniSslContextStrategy implements SslContextStrategy {
private SniSslContextFactory sniSslContextFactory;
public SniSslContextStrategy(SniSslContextFactory sniSslContextFactory) {
this.sniSslContextFactory = sniSslContextFactory;
}
@Override
public SSLContext getSslContext(SniReader sniReader) throws IOException, EofException {
// IO block
Optional<SNIServerName> nameOpt = sniReader.readSni();
// call client code
Optional<SSLContext> chosenContext;
try {
chosenContext = sniSslContextFactory.getSslContext(nameOpt);
} catch (Exception e) {
logger.trace("client code threw exception during evaluation of server name indication", e);
throw new TlsChannelCallbackException("SNI callback failed", e);
}
return chosenContext.orElseThrow(
() -> new SSLHandshakeException("No ssl context available for received SNI: " + nameOpt));
}
}
private static class FixedSslContextStrategy implements SslContextStrategy {
private final SSLContext sslContext;
public FixedSslContextStrategy(SSLContext sslContext) {
this.sslContext = sslContext;
}
@Override
public SSLContext getSslContext(SniReader sniReader) {
/*
* Avoid SNI parsing (using the supplied sniReader) when no decision
* would be made based on it.
*/
return sslContext;
}
}
private static SSLEngine defaultSSLEngineFactory(SSLContext sslContext) {
SSLEngine engine = sslContext.createSSLEngine();
engine.setUseClientMode(false);
return engine;
}
/** Builder of {@link ServerTlsChannel} */
public static class Builder extends TlsChannelBuilder<Builder> {
private final SslContextStrategy internalSslContextFactory;
private Function<SSLContext, SSLEngine> sslEngineFactory =
ServerTlsChannel::defaultSSLEngineFactory;
private Builder(ByteChannel underlying, SSLContext sslContext) {
super(underlying);
this.internalSslContextFactory = new FixedSslContextStrategy(sslContext);
}
private Builder(ByteChannel wrapped, SniSslContextFactory sslContextFactory) {
super(wrapped);
this.internalSslContextFactory = new SniSslContextStrategy(sslContextFactory);
}
@Override
Builder getThis() {
return this;
}
public Builder withEngineFactory(Function<SSLContext, SSLEngine> sslEngineFactory) {
this.sslEngineFactory = sslEngineFactory;
return this;
}
public ServerTlsChannel build() {
return new ServerTlsChannel(
underlying,
internalSslContextFactory,
sslEngineFactory,
sessionInitCallback,
runTasks,
plainBufferAllocator,
encryptedBufferAllocator,
releaseBuffers,
waitForCloseConfirmation);
}
}
/**
* Create a new {@link Builder}, configured with a underlying {@link Channel} and a fixed {@link
* SSLContext}, which will be used to create the {@link SSLEngine}.
*
* @param underlying a reference to the underlying {@link ByteChannel}
* @param sslContext a fixed {@link SSLContext} to be used
* @return the new builder
*/
public static Builder newBuilder(ByteChannel underlying, SSLContext sslContext) {
return new Builder(underlying, sslContext);
}
/**
* Create a new {@link Builder}, configured with a underlying {@link Channel} and a custom {@link
* SSLContext} factory, which will be used to create the context (in turn used to create the
* {@link SSLEngine}, as a function of the SNI received at the TLS connection start.
*
* <p><b>Implementation note:</b><br>
* Due to limitations of {@link SSLEngine}, configuring a {@link ServerTlsChannel} to select the
* {@link SSLContext} based on the SNI value implies parsing the first TLS frame (ClientHello)
* independently of the SSLEngine.
*
* @param underlying a reference to the underlying {@link ByteChannel}
* @param sslContextFactory a function from an optional SNI to the {@link SSLContext} to be used
* @return the new builder
* @see <a href="https://tools.ietf.org/html/rfc6066#section-3">Server Name Indication</a>
*/
public static Builder newBuilder(ByteChannel underlying, SniSslContextFactory sslContextFactory) {
return new Builder(underlying, sslContextFactory);
}
private final ByteChannel underlying;
private final SslContextStrategy sslContextStrategy;
private final Function<SSLContext, SSLEngine> engineFactory;
private final Consumer<SSLSession> sessionInitCallback;
private final boolean runTasks;
private final TrackingAllocator plainBufAllocator;
private final TrackingAllocator encryptedBufAllocator;
private final boolean releaseBuffers;
private final boolean waitForCloseConfirmation;
private final Lock initLock = new ReentrantLock();
private BufferHolder inEncrypted;
private volatile boolean sniRead = false;
private SSLContext sslContext = null;
private TlsChannelImpl impl = null;
// @formatter:off
private ServerTlsChannel(
ByteChannel underlying,
SslContextStrategy internalSslContextFactory,
Function<SSLContext, SSLEngine> engineFactory,
Consumer<SSLSession> sessionInitCallback,
boolean runTasks,
BufferAllocator plainBufAllocator,
BufferAllocator encryptedBufAllocator,
boolean releaseBuffers,
boolean waitForCloseConfirmation) {
this.underlying = underlying;
this.sslContextStrategy = internalSslContextFactory;
this.engineFactory = engineFactory;
this.sessionInitCallback = sessionInitCallback;
this.runTasks = runTasks;
this.plainBufAllocator = new TrackingAllocator(plainBufAllocator);
this.encryptedBufAllocator = new TrackingAllocator(encryptedBufAllocator);
this.releaseBuffers = releaseBuffers;
this.waitForCloseConfirmation = waitForCloseConfirmation;
inEncrypted =
new BufferHolder(
"inEncrypted",
Optional.empty(),
encryptedBufAllocator,
TlsChannelImpl.buffersInitialSize,
TlsChannelImpl.maxTlsPacketSize,
false /* plainData */,
releaseBuffers);
}
// @formatter:on
@Override
public ByteChannel getUnderlying() {
return underlying;
}
/**
* Return the used {@link SSLContext}.
*
* @return if context if present, of null if the TLS connection as not been initializer, or the
* SNI not received yet.
*/
public SSLContext getSslContext() {
return sslContext;
}
@Override
public SSLEngine getSslEngine() {
return impl == null ? null : impl.engine();
}
@Override
public Consumer<SSLSession> getSessionInitCallback() {
return sessionInitCallback;
}
@Override
public boolean getRunTasks() {
return impl.getRunTasks();
}
@Override
public TrackingAllocator getPlainBufferAllocator() {
return plainBufAllocator;
}
@Override
public TrackingAllocator getEncryptedBufferAllocator() {
return encryptedBufAllocator;
}
@Override
public long read(ByteBuffer[] dstBuffers, int offset, int length) throws IOException {
ByteBufferSet dest = new ByteBufferSet(dstBuffers, offset, length);
TlsChannelImpl.checkReadBuffer(dest);
if (!sniRead) {
try {
initEngine();
} catch (EofException e) {
return -1;
}
}
return impl.read(dest);
}
@Override
public long read(ByteBuffer[] dstBuffers) throws IOException {
return read(dstBuffers, 0, dstBuffers.length);
}
@Override
public int read(ByteBuffer dstBuffer) throws IOException {
return (int) read(new ByteBuffer[] {dstBuffer});
}
@Override
public long write(ByteBuffer[] srcs, int offset, int length) throws IOException {
ByteBufferSet source = new ByteBufferSet(srcs, offset, length);
if (!sniRead) {
try {
initEngine();
} catch (EofException e) {
throw new ClosedChannelException();
}
}
return impl.write(source);
}
@Override
public long write(ByteBuffer[] srcs) throws IOException {
return write(srcs, 0, srcs.length);
}
@Override
public int write(ByteBuffer srcBuffer) throws IOException {
return (int) write(new ByteBuffer[] {srcBuffer});
}
@Override
public void renegotiate() throws IOException {
if (!sniRead) {
try {
initEngine();
} catch (EofException e) {
throw new ClosedChannelException();
}
}
impl.renegotiate();
}
@Override
public void handshake() throws IOException {
if (!sniRead) {
try {
initEngine();
} catch (EofException e) {
throw new ClosedChannelException();
}
}
impl.handshake();
}
@Override
public void close() throws IOException {
if (impl != null) impl.close();
if (inEncrypted != null) inEncrypted.dispose();
underlying.close();
}
@Override
public boolean isOpen() {
return underlying.isOpen();
}
private void initEngine() throws IOException, EofException {
initLock.lock();
try {
if (!sniRead) {
sslContext = sslContextStrategy.getSslContext(this::getServerNameIndication);
// call client code
SSLEngine engine;
try {
engine = engineFactory.apply(sslContext);
} catch (Exception e) {
logger.trace("client threw exception in SSLEngine factory", e);
throw new TlsChannelCallbackException("SSLEngine creation callback failed", e);
}
impl =
new TlsChannelImpl(
underlying,
underlying,
engine,
Optional.of(inEncrypted),
sessionInitCallback,
runTasks,
plainBufAllocator,
encryptedBufAllocator,
releaseBuffers,
waitForCloseConfirmation);
inEncrypted = null;
sniRead = true;
}
} finally {
initLock.unlock();
}
}
private Optional<SNIServerName> getServerNameIndication() throws IOException, EofException {
inEncrypted.prepare();
try {
int recordHeaderSize = readRecordHeaderSize();
while (inEncrypted.buffer.position() < recordHeaderSize) {
if (!inEncrypted.buffer.hasRemaining()) {
inEncrypted.enlarge();
}
TlsChannelImpl.readFromChannel(underlying, inEncrypted.buffer); // IO block
}
inEncrypted.buffer.flip();
Map<Integer, SNIServerName> serverNames = TlsExplorer.explore(inEncrypted.buffer);
inEncrypted.buffer.compact();
SNIServerName hostName = serverNames.get(StandardConstants.SNI_HOST_NAME);
if (hostName instanceof SNIHostName) {
SNIHostName sniHostName = (SNIHostName) hostName;
return Optional.of(sniHostName);
} else {
return Optional.empty();
}
} finally {
inEncrypted.release();
}
}
private int readRecordHeaderSize() throws IOException, EofException {
while (inEncrypted.buffer.position() < TlsExplorer.RECORD_HEADER_SIZE) {
if (!inEncrypted.buffer.hasRemaining()) {
throw new IllegalStateException("inEncrypted too small");
}
TlsChannelImpl.readFromChannel(underlying, inEncrypted.buffer); // IO block
}
inEncrypted.buffer.flip();
int recordHeaderSize = TlsExplorer.getRequiredSize(inEncrypted.buffer);
inEncrypted.buffer.compact();
return recordHeaderSize;
}
@Override
public boolean shutdown() throws IOException {
return impl != null && impl.shutdown();
}
@Override
public boolean shutdownReceived() {
return impl != null && impl.shutdownReceived();
}
@Override
public boolean shutdownSent() {
return impl != null && impl.shutdownSent();
}
}
