mirror
/
KtIrc
mirror of https://github.com/csmith/KtIrc
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 20 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
165 Commits
2 Branches
Tree: cd293318a5
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'cd293318a5'
${ noResults }
KtIrc/src/main/kotlin/com/dmdirc/ktirc/io/Tls.kt

Tls.kt 7.2KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219 
  1. package com.dmdirc.ktirc.io

  2. 

  3. import com.dmdirc.ktirc.util.logger

  4. import kotlinx.coroutines.CoroutineScope

  5. import kotlinx.coroutines.channels.Channel

  6. import kotlinx.coroutines.channels.ClosedReceiveChannelException

  7. import kotlinx.coroutines.io.ByteChannel

  8. import kotlinx.coroutines.io.ByteWriteChannel

  9. import kotlinx.coroutines.launch

  10. import kotlinx.io.pool.useInstance

  11. import java.net.SocketAddress

  12. import java.nio.ByteBuffer

  13. import java.security.cert.CertificateException

  14. import java.security.cert.X509Certificate

  15. import java.util.regex.Pattern

  16. import javax.naming.ldap.LdapName

  17. import javax.naming.ldap.Rdn

  18. import javax.net.ssl.SSLContext

  19. import javax.net.ssl.SSLEngine

  20. import javax.net.ssl.SSLEngineResult

  21. 

  22. 

  23. internal class TlsSocket(

  24.         private val scope: CoroutineScope,

  25.         private val socket: Socket,

  26.         private val sslContext: SSLContext,

  27.         private val hostname: String

  28. ) : Socket {

  29. 

  30.     private val log by logger()

  31.     private var engine: SSLEngine = sslContext.createSSLEngine()

  32. 

  33.     private var incomingNetBuffer = ByteBuffer.allocate(0)

  34.     private var incomingAppBuffer = ByteBuffer.allocate(0)

  35.     private var outgoingAppBuffers = Channel<ByteBuffer>(capacity = Channel.UNLIMITED)

  36. 

  37.     private var writeChannel = ByteChannel(autoFlush = true)

  38. 

  39.     override val write: ByteWriteChannel

  40.         get() = writeChannel

  41. 

  42.     override val isOpen: Boolean

  43.         get() = socket.isOpen

  44. 

  45.     override fun bind(socketAddress: SocketAddress) {

  46.         socket.bind(socketAddress)

  47.     }

  48. 

  49.     override suspend fun connect(socketAddress: SocketAddress) {

  50.         writeChannel = ByteChannel(autoFlush = true)

  51. 

  52.         engine = sslContext.createSSLEngine().apply {

  53.             useClientMode = true

  54.         }

  55. 

  56.         incomingNetBuffer = ByteBuffer.allocate(engine.session.packetBufferSize + BUFFER_SIZE)

  57.         outgoingAppBuffers = Channel(capacity = Channel.UNLIMITED)

  58.         incomingAppBuffer = ByteBuffer.allocate(engine.session.applicationBufferSize)

  59. 

  60.         socket.connect(socketAddress)

  61. 

  62.         engine.beginHandshake()

  63. 

  64.         sslLoop()

  65.     }

  66. 

  67.     private suspend fun sslLoop(initialResult: SSLEngineResult? = null) {

  68.         var result: SSLEngineResult? = initialResult

  69.         var handshakeStatus = result?.handshakeStatus ?: engine.handshakeStatus

  70.         while (true) {

  71.             when (handshakeStatus) {

  72.                 SSLEngineResult.HandshakeStatus.NEED_TASK -> {

  73.                     engine.delegatedTask.run()

  74.                     handshakeStatus = engine.handshakeStatus

  75.                 }

  76.                 SSLEngineResult.HandshakeStatus.NEED_WRAP -> {

  77.                     result = wrap()

  78.                     handshakeStatus = result?.handshakeStatus

  79.                 }

  80. 

  81.                 SSLEngineResult.HandshakeStatus.NEED_UNWRAP -> {

  82.                     result = unwrap()

  83.                     handshakeStatus = result?.handshakeStatus

  84.                 }

  85. 

  86.                 SSLEngineResult.HandshakeStatus.FINISHED -> {

  87.                     val certs = engine.session.peerCertificates

  88.                     if (certs.isEmpty() || (certs[0] as? X509Certificate)?.validFor(hostname) == false) {

  89.                         throw CertificateException("Certificate is not valid for $hostname")

  90.                     }

  91.                     scope.launch { readLoop() }

  92.                     scope.launch { writeLoop() }

  93.                     return

  94.                 }

  95. 

  96.                 else -> return

  97.             }

  98.         }

  99.     }

  100. 

  101.     override suspend fun read() = try {

  102.         outgoingAppBuffers.receive()

  103.     } catch (_: ClosedReceiveChannelException) {

  104.         null

  105.     }

  106. 

  107.     private suspend fun wrap(): SSLEngineResult? {

  108.         var result: SSLEngineResult? = null

  109.         byteBufferPool.useInstance { netBuffer ->

  110.             if (engine.handshakeStatus <= SSLEngineResult.HandshakeStatus.FINISHED) {

  111.                 writeChannel.readAvailable(incomingAppBuffer)

  112.             }

  113.             incomingAppBuffer.flip()

  114.             result = engine.wrap(incomingAppBuffer, netBuffer)

  115.             incomingAppBuffer.compact()

  116. 

  117.             netBuffer.flip()

  118.             socket.write.writeFully(netBuffer)

  119.         }

  120.         return result

  121.     }

  122. 

  123.     private suspend fun unwrap(networkRead: Boolean = incomingNetBuffer.position() == 0): SSLEngineResult? {

  124.         if (networkRead) {

  125.             val buffer = socket.read()

  126.             if (buffer == null) {

  127.                 close()

  128.                 return null

  129.             }

  130.             incomingNetBuffer.put(buffer)

  131.             byteBufferPool.recycle(buffer)

  132.         }

  133. 

  134.         incomingNetBuffer.flip()

  135. 

  136.         val buffer = byteBufferPool.borrow()

  137.         val result = engine.unwrap(incomingNetBuffer, buffer)

  138.         incomingNetBuffer.compact()

  139.         if (buffer.position() > 0) {

  140.             buffer.flip()

  141.             outgoingAppBuffers.send(buffer)

  142.         } else {

  143.             byteBufferPool.recycle(buffer)

  144.         }

  145. 

  146.         return if (result?.status == SSLEngineResult.Status.BUFFER_UNDERFLOW && !networkRead) {

  147.             // We didn't do a network read, but SSLEngine is unhappy; force a read.

  148.             log.finest { "Incoming net buffer underflowed, forcing re-read" }

  149.             unwrap(true)

  150.         } else {

  151.             result

  152.         }

  153.     }

  154. 

  155.     override fun close() {

  156.         socket.close()

  157. 

  158.         // Release any buffers we've got queued up

  159.         while (true) {

  160.             outgoingAppBuffers.poll()?.let {

  161.                 byteBufferPool.recycle(it)

  162.             } ?: break

  163.         }

  164. 

  165.         outgoingAppBuffers.close()

  166.     }

  167. 

  168.     private suspend fun readLoop() {

  169.         while (socket.isOpen) {

  170.             sslLoop(unwrap())

  171.         }

  172.     }

  173. 

  174.     private suspend fun writeLoop() {

  175.         while (socket.isOpen) {

  176.             sslLoop(wrap())

  177.         }

  178.     }

  179. 

  180. }

  181. 

  182. internal fun X509Certificate.validFor(host: String): Boolean {

  183.     val hostParts = host.split('.')

  184.     return allNames

  185.             .map { it.split('.') }

  186.             .filter { it.size == hostParts.size }

  187.             .filter { it[0].wildCardMatches(hostParts[0]) }

  188.             .any { it.zip(hostParts).slice(1 until hostParts.size).all { (part, host) -> part.equals(host, ignoreCase = true) } }

  189. }

  190. 

  191. private fun String.wildCardMatches(host: String) =

  192.         count { it == '*' } <= 1 &&

  193.                 host.matches(Regex(split('*').joinToString(".*") { Pattern.quote(it) }, RegexOption.IGNORE_CASE))

  194. 

  195. private val X509Certificate.allNames: Sequence<String>

  196.     get() = sequence {

  197.         commonName?.let { yield(it) }

  198.         yieldAll(subjectAlternateNames)

  199.     }

  200. 

  201. private val X509Certificate.subjectAlternateNames: Set<String>

  202.     get() = nullOnThrow {

  203.         subjectAlternativeNames

  204.                 ?.filter { it[0] == 2 }

  205.                 ?.map { it[1].toString() }

  206.                 ?.toSet()

  207.     } ?: emptySet()

  208. 

  209. private val X509Certificate.commonName: String?

  210.     get() = nullOnThrow { rdns["CN"]?.firstOrNull()?.value?.toString() }

  211. 

  212. private val X509Certificate.rdns: Map<String, List<Rdn>>

  213.     get() = LdapName(subjectX500Principal.name).rdns.groupBy { it.type.toUpperCase() }

  214. 

  215. private inline fun <S> nullOnThrow(block: () -> S?): S? = try {

  216.     block()

  217. } catch (ex: Throwable) {

  218.     null

  219. }