1 /*
2 * Copyright 2017 The Netty Project
3 *
4 * The Netty Project licenses this file to you under the Apache License,
5 * version 2.0 (the "License"); you may not use this file except in compliance
6 * with the License. You may obtain a copy of the License at:
7 *
8 * https://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13 * License for the specific language governing permissions and limitations
14 * under the License.
15 */
16 package io.netty.handler.ssl;
17
18 import io.netty.buffer.ByteBuf;
19 import io.netty.buffer.ByteBufAllocator;
20 import io.netty.channel.ChannelHandler;
21 import io.netty.channel.ChannelHandlerContext;
22 import io.netty.handler.codec.ByteToMessageDecoder;
23 import io.netty.util.ReferenceCountUtil;
24 import io.netty.util.internal.ObjectUtil;
25
26 import javax.net.ssl.SSLContext;
27 import javax.net.ssl.SSLParameters;
28 import java.util.List;
29
30 /**
31 * {@link OptionalSslHandler} is a utility decoder to support both SSL and non-SSL handlers
32 * based on the first message received.
33 */
34 public class OptionalSslHandler extends ByteToMessageDecoder {
35
36 private final SslContext sslContext;
37
38 public OptionalSslHandler(SslContext sslContext) {
39 this.sslContext = ObjectUtil.checkNotNull(sslContext, "sslContext");
40 }
41
42 @Override
43 protected void decode(ChannelHandlerContext context, ByteBuf in, List<Object> out) throws Exception {
44 if (in.readableBytes() < SslUtils.SSL_RECORD_HEADER_LENGTH) {
45 return;
46 }
47 if (SslHandler.isEncrypted(in, false)) {
48 handleSsl(context);
49 } else {
50 handleNonSsl(context);
51 }
52 }
53
54 private void handleSsl(ChannelHandlerContext context) {
55 SslHandler sslHandler = null;
56 try {
57 sslHandler = newSslHandler(context, sslContext);
58 context.pipeline().replace(this, newSslHandlerName(), sslHandler);
59 sslHandler = null;
60 } finally {
61 // Since the SslHandler was not inserted into the pipeline the ownership of the SSLEngine was not
62 // transferred to the SslHandler.
63 if (sslHandler != null) {
64 ReferenceCountUtil.safeRelease(sslHandler.engine());
65 }
66 }
67 }
68
69 private void handleNonSsl(ChannelHandlerContext context) {
70 ChannelHandler handler = newNonSslHandler(context);
71 if (handler != null) {
72 context.pipeline().replace(this, newNonSslHandlerName(), handler);
73 } else {
74 context.pipeline().remove(this);
75 }
76 }
77
78 /**
79 * Optionally specify the SSL handler name, this method may return {@code null}.
80 * @return the name of the SSL handler.
81 */
82 protected String newSslHandlerName() {
83 return null;
84 }
85
86 /**
87 * Override to configure the SslHandler eg. {@link SSLParameters#setEndpointIdentificationAlgorithm(String)}.
88 * The hostname and port is not known by this method so servers may want to override this method and use the
89 * {@link SslContext#newHandler(ByteBufAllocator, String, int)} variant.
90 *
91 * @param context the {@link ChannelHandlerContext} to use.
92 * @param sslContext the {@link SSLContext} to use.
93 * @return the {@link SslHandler} which will replace the {@link OptionalSslHandler} in the pipeline if the
94 * traffic is SSL.
95 */
96 protected SslHandler newSslHandler(ChannelHandlerContext context, SslContext sslContext) {
97 return sslContext.newHandler(context.alloc());
98 }
99
100 /**
101 * Optionally specify the non-SSL handler name, this method may return {@code null}.
102 * @return the name of the non-SSL handler.
103 */
104 protected String newNonSslHandlerName() {
105 return null;
106 }
107
108 /**
109 * Override to configure the ChannelHandler.
110 * @param context the {@link ChannelHandlerContext} to use.
111 * @return the {@link ChannelHandler} which will replace the {@link OptionalSslHandler} in the pipeline
112 * or {@code null} to simply remove the {@link OptionalSslHandler} if the traffic is non-SSL.
113 */
114 protected ChannelHandler newNonSslHandler(ChannelHandlerContext context) {
115 return null;
116 }
117 }