mirror
/
KtIrc
mirror of https://github.com/csmith/KtIrc
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 20 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
152 Commits
2 Branches
Tree: 9cd759d547
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '9cd759d547'
${ noResults }
KtIrc/src/main/kotlin/com/dmdirc/ktirc/io/Tls.kt

Tls.kt 7.3KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221 
  1. package com.dmdirc.ktirc.io

  2. 

  3. import com.dmdirc.ktirc.util.logger

  4. import kotlinx.coroutines.CoroutineScope

  5. import kotlinx.coroutines.channels.Channel

  6. import kotlinx.coroutines.channels.ClosedReceiveChannelException

  7. import kotlinx.coroutines.io.ByteChannel

  8. import kotlinx.coroutines.io.ByteWriteChannel

  9. import kotlinx.coroutines.launch

  10. import java.net.SocketAddress

  11. import java.nio.ByteBuffer

  12. import java.security.cert.CertificateException

  13. import java.security.cert.X509Certificate

  14. import java.util.regex.Pattern

  15. import javax.naming.ldap.LdapName

  16. import javax.naming.ldap.Rdn

  17. import javax.net.ssl.SSLContext

  18. import javax.net.ssl.SSLEngine

  19. import javax.net.ssl.SSLEngineResult

  20. 

  21. 

  22. internal class TlsSocket(

  23.         private val scope: CoroutineScope,

  24.         private val socket: Socket,

  25.         private val sslContext: SSLContext,

  26.         private val hostname: String

  27. ) : Socket {

  28. 

  29.     private val log by logger()

  30.     private var engine: SSLEngine = sslContext.createSSLEngine()

  31. 

  32.     private var incomingNetBuffer = ByteBuffer.allocate(0)

  33.     private var incomingAppBuffer = ByteBuffer.allocate(0)

  34.     private var outgoingAppBuffers = Channel<ByteBuffer>(capacity = Channel.UNLIMITED)

  35. 

  36.     private var writeChannel = ByteChannel(autoFlush = true)

  37. 

  38.     override val write: ByteWriteChannel

  39.         get() = writeChannel

  40. 

  41.     override val isOpen: Boolean

  42.         get() = socket.isOpen

  43. 

  44.     override fun bind(socketAddress: SocketAddress) {

  45.         socket.bind(socketAddress)

  46.     }

  47. 

  48.     override suspend fun connect(socketAddress: SocketAddress) {

  49.         writeChannel = ByteChannel(autoFlush = true)

  50. 

  51.         engine = sslContext.createSSLEngine().apply {

  52.             useClientMode = true

  53.         }

  54. 

  55.         incomingNetBuffer = ByteBuffer.allocate(engine.session.packetBufferSize)

  56.         outgoingAppBuffers = Channel(capacity = Channel.UNLIMITED)

  57.         incomingAppBuffer = ByteBuffer.allocate(engine.session.applicationBufferSize)

  58. 

  59.         socket.connect(socketAddress)

  60. 

  61.         engine.beginHandshake()

  62. 

  63.         sslLoop()

  64.     }

  65. 

  66.     private suspend fun sslLoop(initialResult: SSLEngineResult? = null) {

  67.         var result: SSLEngineResult? = initialResult

  68.         var handshakeStatus = result?.handshakeStatus ?: engine.handshakeStatus

  69.         while (true) {

  70.             when (handshakeStatus) {

  71.                 SSLEngineResult.HandshakeStatus.NEED_TASK -> {

  72.                     engine.delegatedTask.run()

  73.                     handshakeStatus = engine.handshakeStatus

  74.                 }

  75.                 SSLEngineResult.HandshakeStatus.NEED_WRAP -> {

  76.                     result = wrap()

  77.                     handshakeStatus = result?.handshakeStatus

  78.                 }

  79. 

  80.                 SSLEngineResult.HandshakeStatus.NEED_UNWRAP -> {

  81.                     result = unwrap()

  82.                     handshakeStatus = result?.handshakeStatus

  83.                 }

  84. 

  85.                 SSLEngineResult.HandshakeStatus.FINISHED -> {

  86.                     val certs = engine.session.peerCertificates

  87.                     if (certs.isEmpty() || (certs[0] as? X509Certificate)?.validFor(hostname) == false) {

  88.                         throw CertificateException("Certificate is not valid for $hostname")

  89.                     }

  90.                     scope.launch { readLoop() }

  91.                     scope.launch { writeLoop() }

  92.                     return

  93.                 }

  94. 

  95.                 else -> return

  96.             }

  97.         }

  98.     }

  99. 

  100.     override suspend fun read(buffer: ByteBuffer) = try {

  101.         val nextBuffer = outgoingAppBuffers.receive()

  102.         val bytes = nextBuffer.limit()

  103.         buffer.put(nextBuffer)

  104.         defaultPool.recycle(nextBuffer)

  105.         bytes

  106.     } catch (_: ClosedReceiveChannelException) {

  107.         -1

  108.     }

  109. 

  110.     private suspend fun wrap(): SSLEngineResult? {

  111.         var result: SSLEngineResult? = null

  112.         defaultPool.borrow { netBuffer ->

  113.             if (engine.handshakeStatus <= SSLEngineResult.HandshakeStatus.FINISHED) {

  114.                 writeChannel.readAvailable(incomingAppBuffer)

  115.             }

  116.             incomingAppBuffer.flip()

  117.             result = engine.wrap(incomingAppBuffer, netBuffer)

  118.             incomingAppBuffer.compact()

  119. 

  120.             netBuffer.flip()

  121.             socket.write.writeFully(netBuffer)

  122.         }

  123.         return result

  124.     }

  125. 

  126.     private suspend fun unwrap(networkRead: Boolean = incomingNetBuffer.position() == 0): SSLEngineResult? {

  127.         if (networkRead) {

  128.             val bytes = socket.read(incomingNetBuffer.slice())

  129.             if (bytes == -1) {

  130.                 close()

  131.                 return null

  132.             }

  133.             incomingNetBuffer.position(incomingNetBuffer.position() + bytes)

  134.         }

  135. 

  136.         incomingNetBuffer.flip()

  137. 

  138.         val buffer = defaultPool.borrow()

  139.         val result = engine.unwrap(incomingNetBuffer, buffer)

  140.         incomingNetBuffer.compact()

  141.         if (buffer.position() > 0) {

  142.             buffer.flip()

  143.             outgoingAppBuffers.send(buffer)

  144.         } else {

  145.             defaultPool.recycle(buffer)

  146.         }

  147. 

  148.         return if (result?.status == SSLEngineResult.Status.BUFFER_UNDERFLOW && !networkRead) {

  149.             // We didn't do a network read, but SSLEngine is unhappy; force a read.

  150.             log.finest { "Incoming net buffer underflowed, forcing re-read" }

  151.             unwrap(true)

  152.         } else {

  153.             result

  154.         }

  155.     }

  156. 

  157.     override fun close() {

  158.         socket.close()

  159. 

  160.         // Release any buffers we've got queued up

  161.         while(true) {

  162.             outgoingAppBuffers.poll()?.let {

  163.                 defaultPool.recycle(it)

  164.             } ?: break

  165.         }

  166. 

  167.         outgoingAppBuffers.close()

  168.     }

  169. 

  170.     private suspend fun readLoop() {

  171.         while (socket.isOpen) {

  172.             sslLoop(unwrap())

  173.         }

  174.     }

  175. 

  176.     private suspend fun writeLoop() {

  177.         while (socket.isOpen) {

  178.             sslLoop(wrap())

  179.         }

  180.     }

  181. 

  182. }

  183. 

  184. internal fun X509Certificate.validFor(host: String): Boolean {

  185.     val hostParts = host.split('.')

  186.     return allNames

  187.             .map { it.split('.') }

  188.             .filter { it.size == hostParts.size }

  189.             .filter { it[0].wildCardMatches(hostParts[0]) }

  190.             .any { it.zip(hostParts).slice(1 until hostParts.size).all { (part, host) -> part.equals(host, ignoreCase = true) } }

  191. }

  192. 

  193. private fun String.wildCardMatches(host: String) =

  194.         count { it == '*' } <= 1 &&

  195.                 host.matches(Regex(split('*').joinToString(".*") { Pattern.quote(it) }, RegexOption.IGNORE_CASE))

  196. 

  197. private val X509Certificate.allNames: Sequence<String>

  198.     get() = sequence {

  199.         commonName?.let { yield(it) }

  200.         yieldAll(subjectAlternateNames)

  201.     }

  202. 

  203. private val X509Certificate.subjectAlternateNames: Set<String>

  204.     get() = nullOnThrow {

  205.         subjectAlternativeNames

  206.                 ?.filter { it[0] == 2 }

  207.                 ?.map { it[1].toString() }

  208.                 ?.toSet()

  209.     } ?: emptySet()

  210. 

  211. private val X509Certificate.commonName: String?

  212.     get() = nullOnThrow { rdns["CN"]?.firstOrNull()?.value?.toString() }

  213. 

  214. private val X509Certificate.rdns: Map<String, List<Rdn>>

  215.     get() = LdapName(subjectX500Principal.name).rdns.groupBy { it.type.toUpperCase() }

  216. 

  217. private inline fun <S> nullOnThrow(block: () -> S?): S? = try {

  218.     block()

  219. } catch (ex: Throwable) {

  220.     null

  221. }