View Javadoc
1   /*
2    * Copyright 2017 The Netty Project
3    *
4    * The Netty Project licenses this file to you under the Apache License,
5    * version 2.0 (the "License"); you may not use this file except in compliance
6    * with the License. You may obtain a copy of the License at:
7    *
8    *   https://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12   * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13   * License for the specific language governing permissions and limitations
14   * under the License.
15   */
16  package io.netty.handler.ssl;
17  
18  import static io.netty.handler.ssl.SslUtils.toSSLHandshakeException;
19  import static io.netty.util.internal.ObjectUtil.checkNotNull;
20  import static java.lang.Math.min;
21  
22  import io.netty.buffer.ByteBuf;
23  import io.netty.buffer.ByteBufAllocator;
24  import io.netty.handler.ssl.JdkApplicationProtocolNegotiator.ProtocolSelectionListener;
25  import io.netty.handler.ssl.JdkApplicationProtocolNegotiator.ProtocolSelector;
26  import java.nio.ByteBuffer;
27  import java.util.Collections;
28  import java.util.LinkedHashSet;
29  import java.util.List;
30  import javax.net.ssl.SSLEngine;
31  import javax.net.ssl.SSLEngineResult;
32  import javax.net.ssl.SSLException;
33  
34  import io.netty.util.internal.EmptyArrays;
35  import io.netty.util.internal.SystemPropertyUtil;
36  import org.conscrypt.AllocatedBuffer;
37  import org.conscrypt.BufferAllocator;
38  import org.conscrypt.Conscrypt;
39  import org.conscrypt.HandshakeListener;
40  
41  /**
42   * A {@link JdkSslEngine} that uses the Conscrypt provider or SSL with ALPN.
43   */
44  abstract class ConscryptAlpnSslEngine extends JdkSslEngine {
45      private static final boolean USE_BUFFER_ALLOCATOR = SystemPropertyUtil.getBoolean(
46              "io.netty.handler.ssl.conscrypt.useBufferAllocator", true);
47  
48      static ConscryptAlpnSslEngine newClientEngine(SSLEngine engine, ByteBufAllocator alloc,
49              JdkApplicationProtocolNegotiator applicationNegotiator) {
50          return new ClientEngine(engine, alloc, applicationNegotiator);
51      }
52  
53      static ConscryptAlpnSslEngine newServerEngine(SSLEngine engine, ByteBufAllocator alloc,
54              JdkApplicationProtocolNegotiator applicationNegotiator) {
55          return new ServerEngine(engine, alloc, applicationNegotiator);
56      }
57  
58      private ConscryptAlpnSslEngine(SSLEngine engine, ByteBufAllocator alloc, List<String> protocols) {
59          super(engine);
60  
61          // Configure the Conscrypt engine to use Netty's buffer allocator. This is a trade-off of memory vs
62          // performance.
63          //
64          // If no allocator is provided, the engine will internally allocate a direct buffer of max packet size in
65          // order to optimize JNI calls (this happens the first time it is provided a non-direct buffer from the
66          // application).
67          //
68          // Alternatively, if an allocator is provided, no internal buffer will be created and direct buffers will be
69          // retrieved from the allocator on-demand.
70          if (USE_BUFFER_ALLOCATOR) {
71              Conscrypt.setBufferAllocator(engine, new BufferAllocatorAdapter(alloc));
72          }
73  
74          // Set the list of supported ALPN protocols on the engine.
75          Conscrypt.setApplicationProtocols(engine, protocols.toArray(EmptyArrays.EMPTY_STRINGS));
76      }
77  
78      /**
79       * Calculates the maximum size of the encrypted output buffer required to wrap the given plaintext bytes. Assumes
80       * as a worst case that there is one TLS record per buffer.
81       *
82       * @param plaintextBytes the number of plaintext bytes to be wrapped.
83       * @param numBuffers the number of buffers that the plaintext bytes are spread across.
84       * @return the maximum size of the encrypted output buffer required for the wrap operation.
85       */
86      final int calculateOutNetBufSize(int plaintextBytes, int numBuffers) {
87          // Assuming a max of one frame per component in a composite buffer.
88          return calculateSpace(plaintextBytes, numBuffers, Integer.MAX_VALUE);
89      }
90  
91      /**
92       * Calculate the space necessary in an out buffer to hold the max size that the given
93       * plaintextBytes and numBuffers can produce when encrypted. Assumes as a worst case
94       * that there is one TLS record per buffer.
95       * @param plaintextBytes the number of plaintext bytes to be wrapped.
96       * @param numBuffers the number of buffers that the plaintext bytes are spread across.
97       * @return the maximum size of the encrypted output buffer required for the wrap operation.
98       */
99      final int calculateRequiredOutBufSpace(int plaintextBytes, int numBuffers) {
100         return calculateSpace(plaintextBytes, numBuffers, Conscrypt.maxEncryptedPacketLength());
101     }
102 
103     private int calculateSpace(int plaintextBytes, int numBuffers, long maxPacketLength) {
104          long maxOverhead = (long) Conscrypt.maxSealOverhead(getWrappedEngine()) * numBuffers;
105          return (int) min(maxPacketLength, plaintextBytes + maxOverhead);
106     }
107 
108     final SSLEngineResult unwrap(ByteBuffer[] srcs, ByteBuffer[] dests) throws SSLException {
109         return Conscrypt.unwrap(getWrappedEngine(), srcs, dests);
110     }
111 
112     private static final class ClientEngine extends ConscryptAlpnSslEngine {
113         private final ProtocolSelectionListener protocolListener;
114 
115         ClientEngine(SSLEngine engine, ByteBufAllocator alloc,
116                 JdkApplicationProtocolNegotiator applicationNegotiator) {
117             super(engine, alloc, applicationNegotiator.protocols());
118             // Register for completion of the handshake.
119             Conscrypt.setHandshakeListener(engine, new HandshakeListener() {
120                 @Override
121                 public void onHandshakeFinished() throws SSLException {
122                     selectProtocol();
123                 }
124             });
125 
126             protocolListener = checkNotNull(applicationNegotiator
127                             .protocolListenerFactory().newListener(this, applicationNegotiator.protocols()),
128                     "protocolListener");
129         }
130 
131         private void selectProtocol() throws SSLException {
132             String protocol = Conscrypt.getApplicationProtocol(getWrappedEngine());
133             try {
134                 protocolListener.selected(protocol);
135             } catch (Throwable e) {
136                 throw toSSLHandshakeException(e);
137             }
138         }
139     }
140 
141     private static final class ServerEngine extends ConscryptAlpnSslEngine {
142         private final ProtocolSelector protocolSelector;
143 
144         ServerEngine(SSLEngine engine, ByteBufAllocator alloc,
145                      JdkApplicationProtocolNegotiator applicationNegotiator) {
146             super(engine, alloc, applicationNegotiator.protocols());
147 
148             // Register for completion of the handshake.
149             Conscrypt.setHandshakeListener(engine, new HandshakeListener() {
150                 @Override
151                 public void onHandshakeFinished() throws SSLException {
152                     selectProtocol();
153                 }
154             });
155 
156             protocolSelector = checkNotNull(applicationNegotiator.protocolSelectorFactory()
157                             .newSelector(this,
158                                     new LinkedHashSet<String>(applicationNegotiator.protocols())),
159                     "protocolSelector");
160         }
161 
162         private void selectProtocol() throws SSLException {
163             try {
164                 String protocol = Conscrypt.getApplicationProtocol(getWrappedEngine());
165                 protocolSelector.select(protocol != null ? Collections.singletonList(protocol)
166                         : Collections.<String>emptyList());
167             } catch (Throwable e) {
168                 throw toSSLHandshakeException(e);
169             }
170         }
171     }
172 
173     private static final class BufferAllocatorAdapter extends BufferAllocator {
174         private final ByteBufAllocator alloc;
175 
176         BufferAllocatorAdapter(ByteBufAllocator alloc) {
177             this.alloc = alloc;
178         }
179 
180         @Override
181         public AllocatedBuffer allocateDirectBuffer(int capacity) {
182             return new BufferAdapter(alloc.directBuffer(capacity));
183         }
184     }
185 
186     private static final class BufferAdapter extends AllocatedBuffer {
187         private final ByteBuf nettyBuffer;
188         private final ByteBuffer buffer;
189 
190         BufferAdapter(ByteBuf nettyBuffer) {
191             this.nettyBuffer = nettyBuffer;
192             buffer = nettyBuffer.nioBuffer(0, nettyBuffer.capacity());
193         }
194 
195         @Override
196         public ByteBuffer nioBuffer() {
197             return buffer;
198         }
199 
200         @Override
201         public AllocatedBuffer retain() {
202             nettyBuffer.retain();
203             return this;
204         }
205 
206         @Override
207         public AllocatedBuffer release() {
208             nettyBuffer.release();
209             return this;
210         }
211     }
212 }