mirror
/
KtIrc
mirror of https://github.com/csmith/KtIrc
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 20 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
151 Commits
2 Branches
Tree: 51b19e41b5
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '51b19e41b5'
${ noResults }
KtIrc/src/main/kotlin/com/dmdirc/ktirc/io/Tls.kt

Tls.kt 7.0KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210 
  1. package com.dmdirc.ktirc.io

  2. 

  3. import com.dmdirc.ktirc.util.logger

  4. import kotlinx.coroutines.CoroutineScope

  5. import kotlinx.coroutines.channels.Channel

  6. import kotlinx.coroutines.io.ByteChannel

  7. import kotlinx.coroutines.io.ByteWriteChannel

  8. import kotlinx.coroutines.launch

  9. import java.net.SocketAddress

  10. import java.nio.ByteBuffer

  11. import java.security.cert.CertificateException

  12. import java.security.cert.X509Certificate

  13. import java.util.regex.Pattern

  14. import javax.naming.ldap.LdapName

  15. import javax.naming.ldap.Rdn

  16. import javax.net.ssl.SSLContext

  17. import javax.net.ssl.SSLEngine

  18. import javax.net.ssl.SSLEngineResult

  19. 

  20. 

  21. internal class TlsSocket(

  22.         private val scope: CoroutineScope,

  23.         private val socket: Socket,

  24.         private val sslContext: SSLContext,

  25.         private val hostname: String

  26. ) : Socket {

  27. 

  28.     private val log by logger()

  29.     private var engine: SSLEngine = sslContext.createSSLEngine()

  30. 

  31.     private var incomingNetBuffer = ByteBuffer.allocate(0)

  32.     private var incomingAppBuffer = ByteBuffer.allocate(0)

  33.     private var outgoingAppBuffers = Channel<ByteBuffer>(capacity = Channel.UNLIMITED)

  34. 

  35.     private var writeChannel = ByteChannel(autoFlush = true)

  36. 

  37.     override val write: ByteWriteChannel

  38.         get() = writeChannel

  39. 

  40.     override val isOpen: Boolean

  41.         get() = socket.isOpen

  42. 

  43.     override fun bind(socketAddress: SocketAddress) {

  44.         socket.bind(socketAddress)

  45.     }

  46. 

  47.     override suspend fun connect(socketAddress: SocketAddress) {

  48.         writeChannel = ByteChannel(autoFlush = true)

  49. 

  50.         engine = sslContext.createSSLEngine().apply {

  51.             useClientMode = true

  52.         }

  53. 

  54.         incomingNetBuffer = ByteBuffer.allocate(engine.session.packetBufferSize)

  55.         outgoingAppBuffers = Channel(capacity = Channel.UNLIMITED)

  56.         incomingAppBuffer = ByteBuffer.allocate(engine.session.applicationBufferSize)

  57. 

  58.         socket.connect(socketAddress)

  59. 

  60.         engine.beginHandshake()

  61. 

  62.         sslLoop()

  63.     }

  64. 

  65.     private suspend fun sslLoop(initialResult: SSLEngineResult? = null) {

  66.         var result: SSLEngineResult? = initialResult

  67.         var handshakeStatus = result?.handshakeStatus ?: engine.handshakeStatus

  68.         while (true) {

  69.             when (handshakeStatus) {

  70.                 SSLEngineResult.HandshakeStatus.NEED_TASK -> {

  71.                     engine.delegatedTask.run()

  72.                     handshakeStatus = engine.handshakeStatus

  73.                 }

  74.                 SSLEngineResult.HandshakeStatus.NEED_WRAP -> {

  75.                     result = wrap()

  76.                     handshakeStatus = result?.handshakeStatus

  77.                 }

  78. 

  79.                 SSLEngineResult.HandshakeStatus.NEED_UNWRAP -> {

  80.                     result = unwrap()

  81.                     handshakeStatus = result?.handshakeStatus

  82.                 }

  83. 

  84.                 SSLEngineResult.HandshakeStatus.FINISHED -> {

  85.                     val certs = engine.session.peerCertificates

  86.                     if (certs.isEmpty() || (certs[0] as? X509Certificate)?.validFor(hostname) == false) {

  87.                         throw CertificateException("Certificate is not valid for $hostname")

  88.                     }

  89.                     scope.launch { readLoop() }

  90.                     scope.launch { writeLoop() }

  91.                     return

  92.                 }

  93. 

  94.                 else -> return

  95.             }

  96.         }

  97.     }

  98. 

  99.     override suspend fun read(buffer: ByteBuffer): Int {

  100.         val nextBuffer = outgoingAppBuffers.receive()

  101.         val bytes = nextBuffer.limit()

  102.         buffer.put(nextBuffer)

  103.         defaultPool.recycle(nextBuffer)

  104.         return bytes

  105.     }

  106. 

  107.     private suspend fun wrap(): SSLEngineResult? {

  108.         var result: SSLEngineResult? = null

  109.         defaultPool.borrow { netBuffer ->

  110.             if (engine.handshakeStatus <= SSLEngineResult.HandshakeStatus.FINISHED) {

  111.                 writeChannel.readAvailable(incomingAppBuffer)

  112.             }

  113.             incomingAppBuffer.flip()

  114.             result = engine.wrap(incomingAppBuffer, netBuffer)

  115.             incomingAppBuffer.compact()

  116. 

  117.             netBuffer.flip()

  118.             socket.write.writeFully(netBuffer)

  119.         }

  120.         return result

  121.     }

  122. 

  123.     private suspend fun unwrap(networkRead: Boolean = incomingNetBuffer.position() == 0): SSLEngineResult? {

  124.         if (networkRead) {

  125.             val bytes = socket.read(incomingNetBuffer.slice())

  126.             if (bytes == -1) {

  127.                 close()

  128.                 return null

  129.             }

  130.             incomingNetBuffer.position(incomingNetBuffer.position() + bytes)

  131.         }

  132. 

  133.         incomingNetBuffer.flip()

  134. 

  135.         val buffer = defaultPool.borrow()

  136.         val result = engine.unwrap(incomingNetBuffer, buffer)

  137.         incomingNetBuffer.compact()

  138.         if (buffer.position() > 0) {

  139.             buffer.flip()

  140.             outgoingAppBuffers.send(buffer)

  141.         } else {

  142.             defaultPool.recycle(buffer)

  143.         }

  144. 

  145.         return if (result?.status == SSLEngineResult.Status.BUFFER_UNDERFLOW && !networkRead) {

  146.             // We didn't do a network read, but SSLEngine is unhappy; force a read.

  147.             log.finest { "Incoming net buffer underflowed, forcing re-read" }

  148.             unwrap(true)

  149.         } else {

  150.             result

  151.         }

  152.     }

  153. 

  154.     override fun close() {

  155.         socket.close()

  156.         outgoingAppBuffers.close()

  157.     }

  158. 

  159.     private suspend fun readLoop() {

  160.         while (socket.isOpen) {

  161.             sslLoop(unwrap())

  162.         }

  163.     }

  164. 

  165.     private suspend fun writeLoop() {

  166.         while (socket.isOpen) {

  167.             sslLoop(wrap())

  168.         }

  169.     }

  170. 

  171. }

  172. 

  173. internal fun X509Certificate.validFor(host: String): Boolean {

  174.     val hostParts = host.split('.')

  175.     return allNames

  176.             .map { it.split('.') }

  177.             .filter { it.size == hostParts.size }

  178.             .filter { it[0].wildCardMatches(hostParts[0]) }

  179.             .any { it.zip(hostParts).slice(1 until hostParts.size).all { (part, host) -> part.equals(host, ignoreCase = true) } }

  180. }

  181. 

  182. private fun String.wildCardMatches(host: String) =

  183.         count { it == '*' } <= 1 &&

  184.                 host.matches(Regex(split('*').joinToString(".*") { Pattern.quote(it) }, RegexOption.IGNORE_CASE))

  185. 

  186. private val X509Certificate.allNames: Sequence<String>

  187.     get() = sequence {

  188.         commonName?.let { yield(it) }

  189.         yieldAll(subjectAlternateNames)

  190.     }

  191. 

  192. private val X509Certificate.subjectAlternateNames: Set<String>

  193.     get() = nullOnThrow {

  194.         subjectAlternativeNames

  195.                 ?.filter { it[0] == 2 }

  196.                 ?.map { it[1].toString() }

  197.                 ?.toSet()

  198.     } ?: emptySet()

  199. 

  200. private val X509Certificate.commonName: String?

  201.     get() = nullOnThrow { rdns["CN"]?.firstOrNull()?.value?.toString() }

  202. 

  203. private val X509Certificate.rdns: Map<String, List<Rdn>>

  204.     get() = LdapName(subjectX500Principal.name).rdns.groupBy { it.type.toUpperCase() }

  205. 

  206. private inline fun <S> nullOnThrow(block: () -> S?): S? = try {

  207.     block()

  208. } catch (ex: Throwable) {

  209.     null

  210. }