org.postgresql.adba.util.tlschannel.ServerTlsChannel Maven / Gradle / Ivy
/*
MIT License
Copyright (c) [2015-2018] all contributors of https://github.com/marianobarrios/tls-channel, Alexander Kjäll
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
*/
package org.postgresql.adba.util.tlschannel;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.channels.ByteChannel;
import java.nio.channels.Channel;
import java.nio.channels.ClosedChannelException;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.StandardConstants;
import org.postgresql.adba.util.tlschannel.impl.BufferHolder;
import org.postgresql.adba.util.tlschannel.impl.ByteBufferSet;
import org.postgresql.adba.util.tlschannel.impl.TlsChannelImpl;
import org.postgresql.adba.util.tlschannel.impl.TlsChannelImpl.EofException;
import org.postgresql.adba.util.tlschannel.impl.TlsExplorer;
import org.postgresql.adba.util.tlschannel.util.TlsChannelCallbackException;
/**
* A server-side {@link TlsChannel}.
*/
public class ServerTlsChannel implements TlsChannel {
private static final Logger logger = Logger.getLogger(ServerTlsChannel.class.getName());
private interface SslContextStrategy {
@FunctionalInterface
interface SniReader {
Optional readSni() throws IOException, EofException;
}
SSLContext getSslContext(SniReader sniReader) throws IOException, EofException;
}
private static class SniSslContextStrategy implements SslContextStrategy {
private SniSslContextFactory sniSslContextFactory;
public SniSslContextStrategy(SniSslContextFactory sniSslContextFactory) {
this.sniSslContextFactory = sniSslContextFactory;
}
@Override
public SSLContext getSslContext(SniReader sniReader) throws IOException, EofException {
// IO block
Optional nameOpt = sniReader.readSni();
// call client code
Optional chosenContext;
try {
chosenContext = sniSslContextFactory.getSslContext(nameOpt);
} catch (Exception e) {
logger.log(Level.INFO, "client code threw exception during evaluation of server name indication", e);
throw new TlsChannelCallbackException("SNI callback failed", e);
}
return chosenContext.orElseThrow(
() -> new SSLHandshakeException("No ssl context available for received SNI: " + nameOpt));
}
}
private static class FixedSslContextStrategy implements SslContextStrategy {
private final SSLContext sslContext;
public FixedSslContextStrategy(SSLContext sslContext) {
this.sslContext = sslContext;
}
@Override
public SSLContext getSslContext(SniReader sniReader) {
/*
* Avoid SNI parsing (using the supplied sniReader) when no decision
* would be made based on it.
*/
return sslContext;
}
}
private static SSLEngine defaultSslEngineFactory(SSLContext sslContext) {
SSLEngine engine = sslContext.createSSLEngine();
engine.setUseClientMode(false);
return engine;
}
/**
* Builder of {@link ServerTlsChannel}.
*/
public static class Builder extends TlsChannelBuilder {
private final SslContextStrategy internalSslContextFactory;
private Function sslEngineFactory = ServerTlsChannel::defaultSslEngineFactory;
private Builder(ByteChannel underlying, SSLContext sslContext) {
super(underlying);
this.internalSslContextFactory = new FixedSslContextStrategy(sslContext);
}
private Builder(ByteChannel wrapped, SniSslContextFactory sslContextFactory) {
super(wrapped);
this.internalSslContextFactory = new SniSslContextStrategy(sslContextFactory);
}
@Override
Builder getThis() {
return this;
}
public Builder withEngineFactory(Function sslEngineFactory) {
this.sslEngineFactory = sslEngineFactory;
return this;
}
public ServerTlsChannel build() {
return new ServerTlsChannel(underlying, internalSslContextFactory, sslEngineFactory, sessionInitCallback,
runTasks, plainBufferAllocator, encryptedBufferAllocator, releaseBuffers, waitForCloseConfirmation);
}
}
/**
* Create a new {@link Builder}, configured with a underlying {@link Channel} and a fixed {@link SSLContext}, which will be used
* to create the {@link SSLEngine}.
*
* @param underlying a reference to the underlying {@link ByteChannel}
* @param sslContext a fixed {@link SSLContext} to be used
* @return a new Builder
*/
public static Builder newBuilder(ByteChannel underlying, SSLContext sslContext) {
return new Builder(underlying, sslContext);
}
/**
* Create a new {@link Builder}, configured with a underlying {@link Channel} and a custom {@link SSLContext}
* factory, which will be used to create the context (in turn used to create the {@link SSLEngine}, as a function of the SNI
* received at the TLS connection start.
*
* Implementation note:
Due to limitations of {@link SSLEngine}, configuring a {@link
* ServerTlsChannel} to select the {@link SSLContext} based on the SNI value implies parsing the first TLS frame (ClientHello)
* independently of the SSLEngine.
*
* @param underlying a reference to the underlying {@link ByteChannel}
* @param sslContextFactory a function from an optional SNI to the {@link SSLContext} to be used
* @see Server Name Indication
* @return a new Builder
*/
public static Builder newBuilder(ByteChannel underlying, SniSslContextFactory sslContextFactory) {
return new Builder(underlying, sslContextFactory);
}
private final ByteChannel underlying;
private final SslContextStrategy sslContextStrategy;
private final Function engineFactory;
private final Consumer sessionInitCallback;
private final boolean runTasks;
private final TrackingAllocator plainBufAllocator;
private final TrackingAllocator encryptedBufAllocator;
private final boolean releaseBuffers;
private final boolean waitForCloseConfirmation;
private final Lock initLock = new ReentrantLock();
private BufferHolder inEncrypted;
private volatile boolean sniRead = false;
private SSLContext sslContext = null;
private TlsChannelImpl impl = null;
// @formatter:off
private ServerTlsChannel(
ByteChannel underlying,
SslContextStrategy internalSslContextFactory,
Function engineFactory,
Consumer sessionInitCallback,
boolean runTasks,
BufferAllocator plainBufAllocator,
BufferAllocator encryptedBufAllocator,
boolean releaseBuffers,
boolean waitForCloseConfirmation) {
this.underlying = underlying;
this.sslContextStrategy = internalSslContextFactory;
this.engineFactory = engineFactory;
this.sessionInitCallback = sessionInitCallback;
this.runTasks = runTasks;
this.plainBufAllocator = new TrackingAllocator(plainBufAllocator);
this.encryptedBufAllocator = new TrackingAllocator(encryptedBufAllocator);
this.releaseBuffers = releaseBuffers;
this.waitForCloseConfirmation = waitForCloseConfirmation;
inEncrypted = new BufferHolder(
"inEncrypted",
Optional.empty(),
encryptedBufAllocator,
TlsChannelImpl.buffersInitialSize,
TlsChannelImpl.maxTlsPacketSize,
false /* plainData */,
releaseBuffers);
}
// @formatter:on
@Override
public ByteChannel getUnderlying() {
return underlying;
}
/**
* Return the used {@link SSLContext}.
*
* @return if context if present, of null if the TLS connection as not been initializer, or the SNI not received yet.
*/
public SSLContext getSslContext() {
return sslContext;
}
@Override
public SSLEngine getSslEngine() {
return impl == null ? null : impl.engine();
}
@Override
public Consumer getSessionInitCallback() {
return sessionInitCallback;
}
@Override
public boolean getRunTasks() {
return impl.getRunTasks();
}
@Override
public TrackingAllocator getPlainBufferAllocator() {
return plainBufAllocator;
}
@Override
public TrackingAllocator getEncryptedBufferAllocator() {
return encryptedBufAllocator;
}
@Override
public long read(ByteBuffer[] dstBuffers, int offset, int length) throws IOException {
ByteBufferSet dest = new ByteBufferSet(dstBuffers, offset, length);
TlsChannelImpl.checkReadBuffer(dest);
if (!sniRead) {
try {
initEngine();
} catch (EofException e) {
return -1;
}
}
return impl.read(dest);
}
@Override
public long read(ByteBuffer[] dstBuffers) throws IOException {
return read(dstBuffers, 0, dstBuffers.length);
}
@Override
public int read(ByteBuffer dstBuffer) throws IOException {
return (int) read(new ByteBuffer[]{dstBuffer});
}
@Override
public long write(ByteBuffer[] srcs, int offset, int length) throws IOException {
ByteBufferSet source = new ByteBufferSet(srcs, offset, length);
if (!sniRead) {
try {
initEngine();
} catch (EofException e) {
throw new ClosedChannelException();
}
}
return impl.write(source);
}
@Override
public long write(ByteBuffer[] srcs) throws IOException {
return write(srcs, 0, srcs.length);
}
@Override
public int write(ByteBuffer srcBuffer) throws IOException {
return (int) write(new ByteBuffer[]{srcBuffer});
}
@Override
public void renegotiate() throws IOException {
if (!sniRead) {
try {
initEngine();
} catch (EofException e) {
throw new ClosedChannelException();
}
}
impl.renegotiate();
}
@Override
public void handshake() throws IOException {
if (!sniRead) {
try {
initEngine();
} catch (EofException e) {
throw new ClosedChannelException();
}
}
impl.handshake();
}
@Override
public void close() throws IOException {
if (impl != null) {
impl.close();
}
if (inEncrypted != null) {
inEncrypted.dispose();
}
underlying.close();
}
@Override
public boolean isOpen() {
return underlying.isOpen();
}
private void initEngine() throws IOException, EofException {
initLock.lock();
try {
if (!sniRead) {
sslContext = sslContextStrategy.getSslContext(this::getServerNameIndication);
// call client code
SSLEngine engine;
try {
engine = engineFactory.apply(sslContext);
} catch (Exception e) {
logger.log(Level.INFO, "client threw exception in SSLEngine factory", e);
throw new TlsChannelCallbackException("SSLEngine creation callback failed", e);
}
impl = new TlsChannelImpl(underlying, underlying, engine, Optional.of(inEncrypted), sessionInitCallback,
runTasks, plainBufAllocator, encryptedBufAllocator, releaseBuffers, waitForCloseConfirmation);
inEncrypted = null;
sniRead = true;
}
} finally {
initLock.unlock();
}
}
private Optional getServerNameIndication() throws IOException, EofException {
inEncrypted.prepare();
try {
int recordHeaderSize = readRecordHeaderSize();
while (inEncrypted.buffer.position() < recordHeaderSize) {
if (!inEncrypted.buffer.hasRemaining()) {
inEncrypted.enlarge();
}
TlsChannelImpl.readFromChannel(underlying, inEncrypted.buffer); // IO block
}
inEncrypted.buffer.flip();
Map serverNames = TlsExplorer.explore(inEncrypted.buffer);
inEncrypted.buffer.compact();
SNIServerName hostName = serverNames.get(StandardConstants.SNI_HOST_NAME);
if (hostName != null && hostName instanceof SNIHostName) {
SNIHostName sniHostName = (SNIHostName) hostName;
return Optional.of(sniHostName);
} else {
return Optional.empty();
}
} finally {
inEncrypted.release();
}
}
private int readRecordHeaderSize() throws IOException, EofException {
while (inEncrypted.buffer.position() < TlsExplorer.RECORD_HEADER_SIZE) {
if (!inEncrypted.buffer.hasRemaining()) {
throw new IllegalStateException("inEncrypted too small");
}
TlsChannelImpl.readFromChannel(underlying, inEncrypted.buffer); // IO block
}
inEncrypted.buffer.flip();
int recordHeaderSize = TlsExplorer.getRequiredSize(inEncrypted.buffer);
inEncrypted.buffer.compact();
return recordHeaderSize;
}
@Override
public boolean shutdown() throws IOException {
return impl != null && impl.shutdown();
}
@Override
public boolean shutdownReceived() {
return impl != null && impl.shutdownReceived();
}
@Override
public boolean shutdownSent() {
return impl != null && impl.shutdownSent();
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy