Add the ability to secure an already established raw socket connection

sdk/lib/io/secure_socket.dart

 // Copyright (c) 2013, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 part of dart.io;
 
 /**
  * A high-level class for communicating securely over a TCP socket, using
  * TLS and SSL. The [SecureSocket] exposes both a [Stream] and an
  * [IOSink] interface, making it ideal for using together with
@@ skipping 126 matching lines @@
     return  _RawSecureSocket.connect(
         host,
         port,
         certificateName,
         is_server: false,
         sendClientCertificate: sendClientCertificate,
         onBadCertificate: onBadCertificate);
   }
 
   /**
+   * Takes an already connected [socket] and starts client side TLS
+   * handshake to make the communication secure. When the returned
+   * future completes the [RawSecureSocket] has completed the TLS
+   * handshake. Using this function requires that the other end of the
+   * connection is prepared for TLS handshake.
+   *
+   * If the [socket] is already subscribed to pass the existing
+   * subscription in the [subscription] parameter. The secure socket
+   * will take over the subscription and process any subsequent
+   * events.
+   *
+   * See [connect] for more information on the arguments.
+   *
+   */
+  static Future<RawSecureSocket> secure(
+      RawSocket socket,
+      {StreamSubscription subscription,
+       bool sendClientCertificate: false,
+       String certificateName,
+       bool onBadCertificate(X509Certificate certificate)}) {
+    return  _RawSecureSocket.connect(
+        socket.host,
+        socket.port,
+        certificateName,
+        is_server: false,
+        socket: socket,
+        subscription: subscription,
+        sendClientCertificate: sendClientCertificate,
+        onBadCertificate: onBadCertificate);
+  }
+
+  /**
+   * Takes an already connected [socket] and starts server side TLS
+   * handshake to make the communication secure. When the returned
+   * future completes the [RawSecureSocket] has completed the TLS
+   * handshake. Using this function requires that the other end of the
+   * connection is going to start the TLS handshake.
+   *
+   * If the [socket] is already subscribed to pass the existing

[Mads Ager (google), 2013/04/19 05:28:19]

is already subscribed to -> already has a subscription?

(if you change, it should change above as well)

+   * subscription in the [subscription] parameter. The secure socket
+   * will take over the subscription and process any subsequent
+   * events.
+   *
+   * If some of the data of the TLS handshake has already been read
+   * from the socket this data can be passed in the [carryOverData]
+   * parameter. This data will be processed before any other data
+   * available on the socket.
+   *
+   * See [RawSecureServerSocket.bind] for more information on the
+   * arguments.
+   *
+   */
+  static Future<RawSecureSocket> secureServer(
+      RawSocket socket,
+      String certificateName,
+      {StreamSubscription subscription,
+       List<int> carryOverData,
+       bool requestClientCertificate: false,
+       bool requireClientCertificate: false}) {
+    return _RawSecureSocket.connect(
+        socket.remoteHost,
+        socket.remotePort,
+        certificateName,
+        is_server: true,
+        socket: socket,
+        subscription: subscription,
+        carryOverData: carryOverData,
+        requestClientCertificate: requestClientCertificate,
+        requireClientCertificate: requireClientCertificate);
+  }
+
+  /**
    * Get the peer certificate for a connected RawSecureSocket.  If this
    * RawSecureSocket is the server end of a secure socket connection,
    * [peerCertificate] will return the client certificate, or null, if no
    * client certificate was received.  If it is the client end,
    * [peerCertificate] will return the server's certificate.
    */
   X509Certificate get peerCertificate;
 }
 
 
@@ skipping 28 matching lines @@
   static final int READ_ENCRYPTED = 2;
   static final int WRITE_ENCRYPTED = 3;
   static final int NUM_BUFFERS = 4;
 
   RawSocket _socket;
   final Completer<_RawSecureSocket> _handshakeComplete =
       new Completer<_RawSecureSocket>();
   StreamController<RawSocketEvent> _controller;
   Stream<RawSocketEvent> _stream;
   StreamSubscription<RawSocketEvent> _socketSubscription;
+  List<int> _carryOverData;
+  int _carryOverDataIndex = 0;
   final String host;
   final bool is_server;
   final String certificateName;
   final bool requestClientCertificate;
   final bool requireClientCertificate;
   final bool sendClientCertificate;
   final Function onBadCertificate;
 
   var _status = NOT_CONNECTED;
   bool _writeEventsEnabled = true;
   bool _readEventsEnabled = true;
   bool _socketClosedRead = false;  // The network socket is closed for reading.
   bool _socketClosedWrite = false;  // The network socket is closed for writing.
   bool _closedRead = false;  // The secure socket has fired an onClosed event.
   bool _closedWrite = false;  // The secure socket has been closed for writing.
   bool _filterReadEmpty = true;  // There is no buffered data to read.
   bool _filterWriteEmpty = true;  // There is no buffered data to be written.
   bool _connectPending = false;
   _SecureFilter _secureFilter = new _SecureFilter();
 
   static Future<_RawSecureSocket> connect(
       String host,
       int requestedPort,
       String certificateName,
       {bool is_server,
        RawSocket socket,
+       StreamSubscription subscription,
+       List<int> carryOverData,
        bool requestClientCertificate: false,
        bool requireClientCertificate: false,
        bool sendClientCertificate: false,
        bool onBadCertificate(X509Certificate certificate)}){
      return new _RawSecureSocket(host,
                                  requestedPort,
                                  certificateName,
                                  is_server,
                                  socket,
+                                 subscription,
+                                 carryOverData,
                                  requestClientCertificate,
                                  requireClientCertificate,
                                  sendClientCertificate,
                                  onBadCertificate)
          ._handshakeComplete.future;
   }
 
   _RawSecureSocket(
       String this.host,
       int requestedPort,
       String this.certificateName,
       bool this.is_server,
       RawSocket socket,
+      StreamSubscription this._socketSubscription,
+      List<int> this._carryOverData,
       bool this.requestClientCertificate,
       bool this.requireClientCertificate,
       bool this.sendClientCertificate,
       bool this.onBadCertificate(X509Certificate certificate)) {
     _controller = new StreamController<RawSocketEvent>(
         onPauseStateChange: _onPauseStateChange,
         onSubscriptionStateChange: _onSubscriptionStateChange);
     _stream = _controller.stream;
     // Throw an ArgumentError if any field is invalid.  After this, all
     // errors will be reported through the future or the stream.
     _verifyFields();
     _secureFilter.init();
+    if (_carryOverData != null) _readFromCarryOver();
     _secureFilter.registerHandshakeCompleteCallback(
         _secureHandshakeCompleteHandler);
     if (onBadCertificate != null) {
       _secureFilter.registerBadCertificateCallback(onBadCertificate);
     }
     var futureSocket;
     if (socket == null) {
       futureSocket = RawSocket.connect(host, requestedPort);
     } else {
       futureSocket = new Future.immediate(socket);
     }
     futureSocket.then((rawSocket) {
       rawSocket.writeEventsEnabled = false;
       _socket = rawSocket;
-      _socketSubscription = _socket.listen(_eventDispatcher,
-                                           onError: _errorHandler,
-                                           onDone: _doneHandler);
+      if (_socketSubscription == null) {
+      // If a current subscription is provided use this otherwise

[Mads Ager (google), 2013/04/19 05:28:19]

indentation

+      // create a new one.
+        _socketSubscription = _socket.listen(_eventDispatcher,
+                                             onError: _errorHandler,
+                                             onDone: _doneHandler);
+      } else {
+        _socketSubscription.onData(_eventDispatcher);
+        _socketSubscription.onError(_errorHandler);
+        _socketSubscription.onDone(_doneHandler);
+      }
       _connectPending = true;
       _secureFilter.connect(host,
                             port,
                             is_server,
                             certificateName,
                             requestClientCertificate ||
                                 requireClientCertificate,
                             requireClientCertificate,
                             sendClientCertificate);
       _status = HANDSHAKE;
@@ skipping 231 matching lines @@
   void _eventDispatcher(RawSocketEvent event) {
     if (event == RawSocketEvent.READ) {
       _readHandler();
     } else if (event == RawSocketEvent.WRITE) {
       _writeHandler();
     } else if (event == RawSocketEvent.READ_CLOSED) {
       _closeHandler();
     }
   }
 
+  void _readFromCarryOver() {
+    assert(_carryOverData != null);
+    var encrypted = _secureFilter.buffers[READ_ENCRYPTED];
+    var len = 1;//_carryOverData.length - _carryOverDataIndex;
+    encrypted.data.setRange(encrypted.start + encrypted.length,
+                            len,
+                            _carryOverData,
+                            _carryOverDataIndex);
+    encrypted.length = len;
+    _carryOverDataIndex += len;
+    if (_carryOverData.length == _carryOverDataIndex) {
+      _carryOverData = null;
+    }
+  }
+
   void _readHandler() {
     if (_status == CLOSED) {
       return;
     } else if (_status == HANDSHAKE) {
       try {
         _secureHandshake();
         if (_status != HANDSHAKE) _readHandler();
       } catch (e) { _reportError(e, "RawSecureSocket error"); }
     } else {
       if (_status != CONNECTED) {
@@ skipping 117 matching lines @@
         }
       }
       if (encrypted.length > 0) {
         int bytes = _secureFilter.processBuffer(READ_ENCRYPTED);
         if (bytes > 0) {
           encrypted.advanceStart(bytes);
           progress = true;
         }
       }
       if (!_socketClosedRead && encrypted.free > 0) {
-        List<int> data = _socket.read(encrypted.free);
-        if (data != null) {
-          int bytes = data.length;
-          encrypted.data.setRange(encrypted.start + encrypted.length,
-                                  bytes,
-                                  data);
-          encrypted.length += bytes;
+        if (_carryOverData != null) {
+          _readFromCarryOver();
           progress = true;
+        } else {
+          List<int> data = _socket.read(encrypted.free);
+          if (data != null) {
+            int bytes = data.length;
+            encrypted.data.setRange(encrypted.start + encrypted.length,
+                                    bytes,
+                                    data);
+            encrypted.length += bytes;
+            progress = true;
+          }
         }
       }
     }
     // If there is any data in any stages of the filter, there should
     // be data in the plaintext buffer after this process.
     // TODO(whesse): Verify that this is true, and there can be no
     // partial encrypted block stuck in the secureFilter.
     _filterReadEmpty = (plaintext.length == 0);
   }
 
@@ skipping 75 matching lines @@
   void destroy();
   void handshake();
   void init();
   X509Certificate get peerCertificate;
   int processBuffer(int bufferIndex);
   void registerBadCertificateCallback(Function callback);
   void registerHandshakeCompleteCallback(Function handshakeCompleteHandler);
 
   List<_ExternalBuffer> get buffers;
 }