1 /*
2 * Copyright 2017 The Netty Project
3 *
4 * The Netty Project licenses this file to you under the Apache License,
5 * version 2.0 (the "License"); you may not use this file except in compliance
6 * with the License. You may obtain a copy of the License at:
7 *
8 * https://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13 * License for the specific language governing permissions and limitations
14 * under the License.
15 */
16 package io.netty.handler.ssl;
17
18 import io.netty.buffer.ByteBuf;
19 import io.netty.channel.ChannelHandlerContext;
20 import io.netty.util.CharsetUtil;
21 import io.netty.util.concurrent.Future;
22
23 import java.util.Locale;
24
25 /**
26 * <p>Enables <a href="https://tools.ietf.org/html/rfc3546#section-3.1">SNI
27 * (Server Name Indication)</a> extension for server side SSL. For clients
28 * support SNI, the server could have multiple host name bound on a single IP.
29 * The client will send host name in the handshake data so server could decide
30 * which certificate to choose for the host name.</p>
31 */
32 public abstract class AbstractSniHandler<T> extends SslClientHelloHandler<T> {
33
34 private static String extractSniHostname(ByteBuf in) {
35 // See https://tools.ietf.org/html/rfc5246#section-7.4.1.2
36 //
37 // Decode the ssl client hello packet.
38 //
39 // struct {
40 // ProtocolVersion client_version;
41 // Random random;
42 // SessionID session_id;
43 // CipherSuite cipher_suites<2..2^16-2>;
44 // CompressionMethod compression_methods<1..2^8-1>;
45 // select (extensions_present) {
46 // case false:
47 // struct {};
48 // case true:
49 // Extension extensions<0..2^16-1>;
50 // };
51 // } ClientHello;
52 //
53
54 // We have to skip bytes until SessionID (which sum to 34 bytes in this case).
55 int offset = in.readerIndex();
56 int endOffset = in.writerIndex();
57 offset += 34;
58
59 if (endOffset - offset >= 6) {
60 final int sessionIdLength = in.getUnsignedByte(offset);
61 offset += sessionIdLength + 1;
62
63 final int cipherSuitesLength = in.getUnsignedShort(offset);
64 offset += cipherSuitesLength + 2;
65
66 final int compressionMethodLength = in.getUnsignedByte(offset);
67 offset += compressionMethodLength + 1;
68
69 final int extensionsLength = in.getUnsignedShort(offset);
70 offset += 2;
71 final int extensionsLimit = offset + extensionsLength;
72
73 // Extensions should never exceed the record boundary.
74 if (extensionsLimit <= endOffset) {
75 while (extensionsLimit - offset >= 4) {
76 final int extensionType = in.getUnsignedShort(offset);
77 offset += 2;
78
79 final int extensionLength = in.getUnsignedShort(offset);
80 offset += 2;
81
82 if (extensionsLimit - offset < extensionLength) {
83 break;
84 }
85
86 // SNI
87 // See https://tools.ietf.org/html/rfc6066#page-6
88 if (extensionType == 0) {
89 offset += 2;
90 if (extensionsLimit - offset < 3) {
91 break;
92 }
93
94 final int serverNameType = in.getUnsignedByte(offset);
95 offset++;
96
97 if (serverNameType == 0) {
98 final int serverNameLength = in.getUnsignedShort(offset);
99 offset += 2;
100
101 if (extensionsLimit - offset < serverNameLength) {
102 break;
103 }
104
105 final String hostname = in.toString(offset, serverNameLength, CharsetUtil.US_ASCII);
106 return hostname.toLowerCase(Locale.US);
107 } else {
108 // invalid enum value
109 break;
110 }
111 }
112
113 offset += extensionLength;
114 }
115 }
116 }
117 return null;
118 }
119
120 private String hostname;
121
122 @Override
123 protected Future<T> lookup(ChannelHandlerContext ctx, ByteBuf clientHello) throws Exception {
124 hostname = clientHello == null ? null : extractSniHostname(clientHello);
125
126 return lookup(ctx, hostname);
127 }
128
129 @Override
130 protected void onLookupComplete(ChannelHandlerContext ctx, Future<T> future) throws Exception {
131 try {
132 onLookupComplete(ctx, hostname, future);
133 } finally {
134 fireSniCompletionEvent(ctx, hostname, future);
135 }
136 }
137
138 /**
139 * Kicks off a lookup for the given SNI value and returns a {@link Future} which in turn will
140 * notify the {@link #onLookupComplete(ChannelHandlerContext, String, Future)} on completion.
141 *
142 * @see #onLookupComplete(ChannelHandlerContext, String, Future)
143 */
144 protected abstract Future<T> lookup(ChannelHandlerContext ctx, String hostname) throws Exception;
145
146 /**
147 * Called upon completion of the {@link #lookup(ChannelHandlerContext, String)} {@link Future}.
148 *
149 * @see #lookup(ChannelHandlerContext, String)
150 */
151 protected abstract void onLookupComplete(ChannelHandlerContext ctx,
152 String hostname, Future<T> future) throws Exception;
153
154 private static void fireSniCompletionEvent(ChannelHandlerContext ctx, String hostname, Future<?> future) {
155 Throwable cause = future.cause();
156 if (cause == null) {
157 ctx.fireUserEventTriggered(new SniCompletionEvent(hostname));
158 } else {
159 ctx.fireUserEventTriggered(new SniCompletionEvent(hostname, cause));
160 }
161 }
162 }