Support for the ALPN extension of the TLS protocol for Client and Server

dart/runtime/bin/secure_socket.cc

 // Copyright (c) 2012, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 #include "bin/secure_socket.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <sys/stat.h>
 #include <stdio.h>
@@ skipping 103 matching lines @@
   Dart_Handle port_object = ThrowIfError(Dart_GetNativeArgument(args, 3));
   bool is_server = DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 4));
   Dart_Handle certificate_name_object =
       ThrowIfError(Dart_GetNativeArgument(args, 5));
   bool request_client_certificate =
       DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 6));
   bool require_client_certificate =
       DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 7));
   bool send_client_certificate =
       DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 8));
+  Dart_Handle client_protocols_handle =
+      ThrowIfError(Dart_GetNativeArgument(args, 9));
 
   const char* host_name = NULL;
   // TODO(whesse): Is truncating a Dart string containing \0 what we want?
   ThrowIfError(Dart_StringToCString(host_name_object, &host_name));
 
   RawAddr raw_addr;
   SocketAddress::GetSockAddr(host_sockaddr_storage_object, &raw_addr);
 
   int64_t port;
   if (!DartUtils::GetInt64Value(port_object, &port)) {
     FATAL("The range of port_object was checked in Dart - it cannot fail here");
   }
 
   const char* certificate_name = NULL;
   if (Dart_IsString(certificate_name_object)) {
     ThrowIfError(Dart_StringToCString(certificate_name_object,
                                       &certificate_name));
   }
   // If this is a server connection, it must have a certificate to connect with.
   ASSERT(!is_server || certificate_name != NULL);
 
+
+
+  Dart_TypedData_Type protocols_type;
+  uint8_t* protocol_string = NULL;
+  intptr_t protocol_string_len = 0;
+
+  ASSERT(!Dart_IsNull(client_protocols_handle));
+  Dart_Handle result = Dart_TypedDataAcquireData(
+      client_protocols_handle,
+      &protocols_type,
+      reinterpret_cast<void**>(&protocol_string),
+      &protocol_string_len);
+  if (Dart_IsError(result)) {
+    Dart_PropagateError(result);
+  }
+
+  if (protocols_type != Dart_TypedData_kUint8) {
+    Dart_TypedDataReleaseData(client_protocols_handle);
+    Dart_PropagateError(
+        Dart_NewApiError("Unexpected type for protocols"));
+  }
+
   GetFilter(args)->Connect(host_name,
                            &raw_addr,
                            static_cast<int>(port),
                            is_server,
                            certificate_name,
                            request_client_certificate,
                            require_client_certificate,
-                           send_client_certificate);
+                           send_client_certificate,
+                           protocol_string,
+                           protocol_string_len);

[kustermann, 2014/10/03 13:25:26]

If GetFilter(args)->Connect() fails, can it unwind the stack without releasing
the TypedData?

Will the TypedData be released automatically?

[I've never worked with this C api, so I rely on you known what to do here].

[Søren Gjesse, 2014/10/03 15:47:04]

As discussed off-line you need to release it before calling Connect, that is
make a copy somehow.

[kustermann, 2014/11/07 16:20:03]

Instead of making more calls into the VM & copying the string, I give the handle
to the filter method, where I can guarantee that nothing unwinds the stack.

+  Dart_TypedDataReleaseData(client_protocols_handle);
 }
 
 
 void FUNCTION_NAME(SecureSocket_Destroy)(Dart_NativeArguments args) {
   SSLFilter* filter = GetFilter(args);
   SetFilter(args, NULL);
   filter->Destroy();
   delete filter;
 }
 
 
 void FUNCTION_NAME(SecureSocket_Handshake)(Dart_NativeArguments args) {
   GetFilter(args)->Handshake();
 }
 
 
+void FUNCTION_NAME(SecureSocket_GetSelectedProtocol)(
+    Dart_NativeArguments args) {
+  GetFilter(args)->GetSelectedProtocol(args);
+}
+
+
 void FUNCTION_NAME(SecureSocket_Renegotiate)(Dart_NativeArguments args) {
   bool use_session_cache =
       DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 1));
   bool request_client_certificate =
       DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 2));
   bool require_client_certificate =
       DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 3));
   GetFilter(args)->Renegotiate(use_session_cache,
                                request_client_certificate,
                                require_client_certificate);
@@ skipping 472 matching lines @@
 }
 
 
 void SSLFilter::Connect(const char* host_name,
                         RawAddr* raw_addr,
                         int port,
                         bool is_server,
                         const char* certificate_name,
                         bool request_client_certificate,
                         bool require_client_certificate,
-                        bool send_client_certificate) {
+                        bool send_client_certificate,
+                        uint8_t *protocols,
+                        intptr_t protocols_len) {
   is_server_ = is_server;
   if (in_handshake_) {
     FATAL("Connect called twice on the same _SecureFilter.");
   }
 
   if (!is_server && certificate_name != NULL) {
     client_certificate_name_ = strdup(certificate_name);
   }
 
   filter_ = SSL_ImportFD(NULL, filter_);
   if (filter_ == NULL) {
     ThrowPRException("TlsException", "Failed SSL_ImportFD call");
   }
 
+
+  SECStatus status;
+
+  if (protocols_len > 0) {
+    status = SSL_OptionSet(filter_, SSL_ENABLE_ALPN, PR_TRUE);
+    ASSERT(status == SECSuccess);
+
+    status = SSL_SetNextProtoNego(filter_, protocols, protocols_len);
+    ASSERT(status == SECSuccess);
+  }
+
   SSLVersionRange vrange;
   vrange.min = SSL_LIBRARY_VERSION_3_0;
   vrange.max = SSL_LIBRARY_VERSION_TLS_1_2;
   SSL_VersionRangeSet(filter_, &vrange);
 
-  SECStatus status;
   if (is_server) {
     CERTCertificate* certificate = NULL;
     if (strstr(certificate_name, "CN=") != NULL) {
       // Look up certificate using the distinguished name (DN) certificate_name.
       CERTCertDBHandle* certificate_database = CERT_GetDefaultCertDB();
       if (certificate_database == NULL) {
         ThrowPRException("CertificateException",
                          "Certificate database cannot be loaded");
       }
       certificate = CERT_FindCertByNameString(certificate_database,
@@ skipping 124 matching lines @@
         ThrowPRException("HandshakeException",
                          "Handshake error in server");
       } else {
         ThrowPRException("HandshakeException",
                          "Handshake error in client");
       }
     }
   }
 }
 
+void SSLFilter::GetSelectedProtocol(Dart_NativeArguments args) {
+  // Space for the selected protocol.
+  const intptr_t kBufferSize = 256;
+  unsigned char buffer[kBufferSize + 1];
+
+  unsigned int outLength = 0;
+  SSLNextProtoState outState;
+
+  SECStatus status = SSL_GetNextProto(
+      filter_, &outState, buffer, &outLength, kBufferSize);
+  if (status == SECSuccess) {
+    if (outState == SSL_NEXT_PROTO_SELECTED ||
+        outState == SSL_NEXT_PROTO_NEGOTIATED) {
+      ASSERT(outLength <= kBufferSize);
+      buffer[outLength] = '\0';
+      Dart_Handle protocol_string = DartUtils::NewString(
+          reinterpret_cast<const char *>(&buffer[0]));
+      if (Dart_IsError(protocol_string)) {
+        ThrowPRException("HandshakeException",
+                         "Protocol selected via ALPN was non-UTF8");

[Søren Gjesse, 2014/10/03 15:47:04]

In principle this could also be an OOM i think, or maybe they never return.

[kustermann, 2014/11/07 16:20:02]

Rephrased message.

+      } else {
+        Dart_SetReturnValue(args, protocol_string);
+      }
+    } else if (outState == SSL_NEXT_PROTO_NO_OVERLAP) {
+      ThrowPRException("HandshakeException",
+                       "Client and Server could not agree upon a protocol");
+    } else if (outState == SSL_NEXT_PROTO_NO_SUPPORT) {
+      // A value of `null` denotes that the client did not support protocol
+      // negogiation.
+      Dart_SetReturnValue(args, Dart_Null());
+    } else {
+      UNREACHABLE();
+    }
+  } else {
+    ThrowPRException("HandshakeException",
+                     "Could not retrieve selected protocol via ALPN");
+  }
+}
+
 
 void SSLFilter::Renegotiate(bool use_session_cache,
                             bool request_client_certificate,
                             bool require_client_certificate) {
   SECStatus status;
   // The SSL_REQUIRE_CERTIFICATE option only takes effect if the
   // SSL_REQUEST_CERTIFICATE option is also set, so set it.
   request_client_certificate =
       request_client_certificate || require_client_certificate;
 
@@ skipping 124 matching lines @@
     }
     if (bytes_processed > 0) {
       memio_PutWriteResult(secret, bytes_processed);
     }
   }
   return bytes_processed;
 }
 
 }  // namespace bin
 }  // namespace dart