io.netty.handler.ssl.AbstractSniHandler Maven / Gradle / Ivy
Go to download
This artifact provides a single jar that contains all classes required to use remote EJB and JMS, including
all dependencies. It is intended for use by those not using maven, maven users should just import the EJB and
JMS BOM's instead (shaded JAR's cause lots of problems with maven, as it is very easy to inadvertently end up
with different versions on classes on the class path).
/*
* Copyright 2017 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package io.netty.handler.ssl;
import io.netty.buffer.ByteBuf;
import io.netty.channel.ChannelHandlerContext;
import io.netty.util.CharsetUtil;
import io.netty.util.concurrent.Future;
import io.netty.util.concurrent.ScheduledFuture;
import java.util.Locale;
import java.util.concurrent.TimeUnit;
import static io.netty.util.internal.ObjectUtil.checkPositiveOrZero;
/**
* Enables SNI
* (Server Name Indication) extension for server side SSL. For clients
* support SNI, the server could have multiple host name bound on a single IP.
* The client will send host name in the handshake data so server could decide
* which certificate to choose for the host name.
*/
public abstract class AbstractSniHandler extends SslClientHelloHandler {
private static String extractSniHostname(ByteBuf in) {
// See https://tools.ietf.org/html/rfc5246#section-7.4.1.2
//
// Decode the ssl client hello packet.
//
// struct {
// ProtocolVersion client_version;
// Random random;
// SessionID session_id;
// CipherSuite cipher_suites<2..2^16-2>;
// CompressionMethod compression_methods<1..2^8-1>;
// select (extensions_present) {
// case false:
// struct {};
// case true:
// Extension extensions<0..2^16-1>;
// };
// } ClientHello;
//
// We have to skip bytes until SessionID (which sum to 34 bytes in this case).
int offset = in.readerIndex();
int endOffset = in.writerIndex();
offset += 34;
if (endOffset - offset >= 6) {
final int sessionIdLength = in.getUnsignedByte(offset);
offset += sessionIdLength + 1;
final int cipherSuitesLength = in.getUnsignedShort(offset);
offset += cipherSuitesLength + 2;
final int compressionMethodLength = in.getUnsignedByte(offset);
offset += compressionMethodLength + 1;
final int extensionsLength = in.getUnsignedShort(offset);
offset += 2;
final int extensionsLimit = offset + extensionsLength;
// Extensions should never exceed the record boundary.
if (extensionsLimit <= endOffset) {
while (extensionsLimit - offset >= 4) {
final int extensionType = in.getUnsignedShort(offset);
offset += 2;
final int extensionLength = in.getUnsignedShort(offset);
offset += 2;
if (extensionsLimit - offset < extensionLength) {
break;
}
// SNI
// See https://tools.ietf.org/html/rfc6066#page-6
if (extensionType == 0) {
offset += 2;
if (extensionsLimit - offset < 3) {
break;
}
final int serverNameType = in.getUnsignedByte(offset);
offset++;
if (serverNameType == 0) {
final int serverNameLength = in.getUnsignedShort(offset);
offset += 2;
if (extensionsLimit - offset < serverNameLength) {
break;
}
final String hostname = in.toString(offset, serverNameLength, CharsetUtil.US_ASCII);
return hostname.toLowerCase(Locale.US);
} else {
// invalid enum value
break;
}
}
offset += extensionLength;
}
}
}
return null;
}
protected final long handshakeTimeoutMillis;
private ScheduledFuture timeoutFuture;
private String hostname;
/**
* @param handshakeTimeoutMillis the handshake timeout in milliseconds
*/
protected AbstractSniHandler(long handshakeTimeoutMillis) {
this(0, handshakeTimeoutMillis);
}
/**
* @paramm maxClientHelloLength the maximum length of the client hello message.
* @param handshakeTimeoutMillis the handshake timeout in milliseconds
*/
protected AbstractSniHandler(int maxClientHelloLength, long handshakeTimeoutMillis) {
super(maxClientHelloLength);
this.handshakeTimeoutMillis = checkPositiveOrZero(handshakeTimeoutMillis, "handshakeTimeoutMillis");
}
public AbstractSniHandler() {
this(0, 0L);
}
@Override
public void handlerAdded(ChannelHandlerContext ctx) throws Exception {
if (ctx.channel().isActive()) {
checkStartTimeout(ctx);
}
}
@Override
public void channelActive(ChannelHandlerContext ctx) throws Exception {
ctx.fireChannelActive();
checkStartTimeout(ctx);
}
private void checkStartTimeout(final ChannelHandlerContext ctx) {
if (handshakeTimeoutMillis <= 0 || timeoutFuture != null) {
return;
}
timeoutFuture = ctx.executor().schedule(new Runnable() {
@Override
public void run() {
if (ctx.channel().isActive()) {
SslHandshakeTimeoutException exception = new SslHandshakeTimeoutException(
"handshake timed out after " + handshakeTimeoutMillis + "ms");
ctx.fireUserEventTriggered(new SniCompletionEvent(exception));
ctx.close();
}
}
}, handshakeTimeoutMillis, TimeUnit.MILLISECONDS);
}
@Override
protected Future lookup(ChannelHandlerContext ctx, ByteBuf clientHello) throws Exception {
hostname = clientHello == null ? null : extractSniHostname(clientHello);
return lookup(ctx, hostname);
}
@Override
protected void onLookupComplete(ChannelHandlerContext ctx, Future future) throws Exception {
if (timeoutFuture != null) {
timeoutFuture.cancel(false);
}
try {
onLookupComplete(ctx, hostname, future);
} finally {
fireSniCompletionEvent(ctx, hostname, future);
}
}
/**
* Kicks off a lookup for the given SNI value and returns a {@link Future} which in turn will
* notify the {@link #onLookupComplete(ChannelHandlerContext, String, Future)} on completion.
*
* @see #onLookupComplete(ChannelHandlerContext, String, Future)
*/
protected abstract Future lookup(ChannelHandlerContext ctx, String hostname) throws Exception;
/**
* Called upon completion of the {@link #lookup(ChannelHandlerContext, String)} {@link Future}.
*
* @see #lookup(ChannelHandlerContext, String)
*/
protected abstract void onLookupComplete(ChannelHandlerContext ctx,
String hostname, Future future) throws Exception;
private static void fireSniCompletionEvent(ChannelHandlerContext ctx, String hostname, Future future) {
Throwable cause = future.cause();
if (cause == null) {
ctx.fireUserEventTriggered(new SniCompletionEvent(hostname));
} else {
ctx.fireUserEventTriggered(new SniCompletionEvent(hostname, cause));
}
}
}