Support for the ALPN extension of the TLS protocol for Client and Server

dart/sdk/lib/io/secure_socket.dart

 // Copyright (c) 2013, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 part of dart.io;
 
 /**
  * A high-level class for communicating securely over a TCP socket, using
  * TLS and SSL. The [SecureSocket] exposes both a [Stream] and an
  * [IOSink] interface, making it ideal for using together with
@@ skipping 21 matching lines @@
    * The handler receives the [X509Certificate], and can inspect it and
    * decide (or let the user decide) whether to accept
    * the connection or not.  The handler should return true
    * to continue the [SecureSocket] connection.
    */
   static Future<SecureSocket> connect(
       host,
       int port,
       {bool sendClientCertificate: false,
        String certificateName,
-       bool onBadCertificate(X509Certificate certificate)}) {
+       bool onBadCertificate(X509Certificate certificate),
+       List<String> supportedProtocols}) {
     return RawSecureSocket.connect(host,
                                    port,
                                    sendClientCertificate: sendClientCertificate,
                                    certificateName: certificateName,
-                                   onBadCertificate: onBadCertificate)
+                                   onBadCertificate: onBadCertificate,
+                                   supportedProtocols: supportedProtocols)
         .then((rawSocket) => new SecureSocket._(rawSocket));
   }
 
   /**
    * Takes an already connected [socket] and starts client side TLS
    * handshake to make the communication secure. When the returned
    * future completes the [SecureSocket] has completed the TLS
    * handshake. Using this function requires that the other end of the
    * connection is prepared for TLS handshake.
    *
@@ skipping 57 matching lines @@
    *
    * See [SecureServerSocket.bind] for more information on the
    * arguments.
    *
    */
   static Future<SecureSocket> secureServer(
       Socket socket,
       String certificateName,
       {List<int> bufferedData,
        bool requestClientCertificate: false,
-       bool requireClientCertificate: false}) {
+       bool requireClientCertificate: false,
+       List<String> supportedProtocols}) {
     var completer = new Completer();
     (socket as dynamic)._detachRaw()
         .then((detachedRaw) {
           return RawSecureSocket.secureServer(
             detachedRaw[0],
             certificateName,
             subscription: detachedRaw[1],
             bufferedData: bufferedData,
             requestClientCertificate: requestClientCertificate,
-            requireClientCertificate: requireClientCertificate);
+            requireClientCertificate: requireClientCertificate,
+            supportedProtocols: supportedProtocols);
           })
         .then((raw) {
           completer.complete(new SecureSocket._(raw));
         });
     return completer.future;
   }
 
   /**
    * Get the peer certificate for a connected SecureSocket.  If this
    * SecureSocket is the server end of a secure socket connection,
    * [peerCertificate] will return the client certificate, or null, if no
    * client certificate was received.  If it is the client end,
    * [peerCertificate] will return the server's certificate.
    */
   X509Certificate get peerCertificate;
 
   /**
+   * Get the protocol which was selected during protocol negotiation.
+   */
+  String get selectedProtocol;
+
+  /**
    * Renegotiate an existing secure connection, renewing the session keys
    * and possibly changing the connection properties.
    *
    * This repeats the SSL or TLS handshake, with options that allow clearing
    * the session cache and requesting a client certificate.
    */
   void renegotiate({bool useSessionCache: true,
                     bool requestClientCertificate: false,
                     bool requireClientCertificate: false});
 
@@ skipping 75 matching lines @@
    * The handler receives the [X509Certificate], and can inspect it and
    * decide (or let the user decide) whether to accept
    * the connection or not.  The handler should return true
    * to continue the [RawSecureSocket] connection.
    */
   static Future<RawSecureSocket> connect(
       host,
       int port,
       {bool sendClientCertificate: false,
        String certificateName,
-       bool onBadCertificate(X509Certificate certificate)}) {
+       bool onBadCertificate(X509Certificate certificate),
+       List<String> supportedProtocols}) {
     _RawSecureSocket._verifyFields(
         host,
         port,
         certificateName,
         false,
         false,
         false,
         sendClientCertificate,
         onBadCertificate);
     return RawSocket.connect(host, port)
         .then((socket) {
           return secure(socket,
                         sendClientCertificate: sendClientCertificate,
                         certificateName: certificateName,
-                        onBadCertificate: onBadCertificate);
+                        onBadCertificate: onBadCertificate,
+                        supportedProtocols: supportedProtocols);
         });
   }
 
   /**
    * Takes an already connected [socket] and starts client side TLS
    * handshake to make the communication secure. When the returned
    * future completes the [RawSecureSocket] has completed the TLS
    * handshake. Using this function requires that the other end of the
    * connection is prepared for TLS handshake.
    *
@@ skipping 17 matching lines @@
    *
    * See [connect] for more information on the arguments.
    *
    */
   static Future<RawSecureSocket> secure(
       RawSocket socket,
       {StreamSubscription subscription,
        host,
        bool sendClientCertificate: false,
        String certificateName,
-       bool onBadCertificate(X509Certificate certificate)}) {
+       bool onBadCertificate(X509Certificate certificate),
+       List<String> supportedProtocols}) {
     socket.readEventsEnabled = false;
     socket.writeEventsEnabled = false;
     return  _RawSecureSocket.connect(
         host != null ? host : socket.address.host,
         socket.port,
         certificateName,
         is_server: false,
         socket: socket,
         subscription: subscription,
         sendClientCertificate: sendClientCertificate,
-        onBadCertificate: onBadCertificate);
+        onBadCertificate: onBadCertificate,
+        supportedProtocols: supportedProtocols);
   }
 
   /**
    * Takes an already connected [socket] and starts server side TLS
    * handshake to make the communication secure. When the returned
    * future completes the [RawSecureSocket] has completed the TLS
    * handshake. Using this function requires that the other end of the
    * connection is going to start the TLS handshake.
    *
    * If the [socket] already has a subscription, pass the existing
@@ skipping 11 matching lines @@
    * See [RawSecureServerSocket.bind] for more information on the
    * arguments.
    *
    */
   static Future<RawSecureSocket> secureServer(
       RawSocket socket,
       String certificateName,
       {StreamSubscription subscription,
        List<int> bufferedData,
        bool requestClientCertificate: false,
-       bool requireClientCertificate: false}) {
+       bool requireClientCertificate: false,
+       List<String> supportedProtocols}) {
     socket.readEventsEnabled = false;
     socket.writeEventsEnabled = false;
     return _RawSecureSocket.connect(
         socket.address,
         socket.remotePort,
         certificateName,
         is_server: true,
         socket: socket,
         subscription: subscription,
         bufferedData: bufferedData,
         requestClientCertificate: requestClientCertificate,
-        requireClientCertificate: requireClientCertificate);
+        requireClientCertificate: requireClientCertificate,
+        supportedProtocols: supportedProtocols);
   }
 
   /**
    * Renegotiate an existing secure connection, renewing the session keys
    * and possibly changing the connection properties.
    *
    * This repeats the SSL or TLS handshake, with options that allow clearing
    * the session cache and requesting a client certificate.
    */
   void renegotiate({bool useSessionCache: true,
                     bool requestClientCertificate: false,
                     bool requireClientCertificate: false});
 
   /**
    * Get the peer certificate for a connected RawSecureSocket.  If this
    * RawSecureSocket is the server end of a secure socket connection,
    * [peerCertificate] will return the client certificate, or null, if no
    * client certificate was received.  If it is the client end,
    * [peerCertificate] will return the server's certificate.
    */
   X509Certificate get peerCertificate;
+
+  /**
+   * Get the protocol which was selected during protocol negotiation.
+   */
+  String get selectedProtocol;
 }
 
 
 /**
  * X509Certificate represents an SSL certificate, with accessors to
  * get the fields of the certificate.
  */
 class X509Certificate {
   X509Certificate(this.subject,
                   this.issuer,
@@ skipping 64 matching lines @@
   bool _closedRead = false;  // The secure socket has fired an onClosed event.
   bool _closedWrite = false;  // The secure socket has been closed for writing.
   Completer _closeCompleter = new Completer();  // The network socket is gone.
   _FilterStatus _filterStatus = new _FilterStatus();
   bool _connectPending = true;
   bool _filterPending = false;
   bool _filterActive = false;
 
   _SecureFilter _secureFilter = new _SecureFilter();
   int _filterPointer;
+  String _selectedProtocol;
 
   static Future<_RawSecureSocket> connect(
       host,
       int requestedPort,
       String certificateName,
       {bool is_server,
        RawSocket socket,
        StreamSubscription subscription,
        List<int> bufferedData,
        bool requestClientCertificate: false,
        bool requireClientCertificate: false,
        bool sendClientCertificate: false,
-       bool onBadCertificate(X509Certificate certificate)}) {
+       bool onBadCertificate(X509Certificate certificate),
+       List<String> supportedProtocols}) {
     _verifyFields(host, requestedPort, certificateName, is_server,
                  requestClientCertificate, requireClientCertificate,
                  sendClientCertificate, onBadCertificate);
     if (host is InternetAddress) host = host.host;
     var address = socket.address;
     if (host != null) address =  address._cloneWithNewHost(host);
     return new _RawSecureSocket(address,
                                 requestedPort,
                                 certificateName,
                                 is_server,
                                 socket,
                                 subscription,
                                 bufferedData,
                                 requestClientCertificate,
                                 requireClientCertificate,
                                 sendClientCertificate,
-                                onBadCertificate)
+                                onBadCertificate,
+                                supportedProtocols)
         ._handshakeComplete.future;
   }
 
   _RawSecureSocket(
       this.address,
       int requestedPort,
       this.certificateName,
       this.is_server,
       RawSocket this._socket,
       this._socketSubscription,
       this._bufferedData,
       this.requestClientCertificate,
       this.requireClientCertificate,
       this.sendClientCertificate,
-      this.onBadCertificate(X509Certificate certificate)) {
+      this.onBadCertificate(X509Certificate certificate),
+      List<String> supportedProtocols) {
     _controller = new StreamController<RawSocketEvent>(
         sync: true,
         onListen: _onSubscriptionStateChange,
         onPause: _onPauseStateChange,
         onResume: _onPauseStateChange,
         onCancel: _onSubscriptionStateChange);
     _stream = _controller.stream;
     // Throw an ArgumentError if any field is invalid.  After this, all
     // errors will be reported through the future or the stream.
     _secureFilter.init();
@@ skipping 24 matching lines @@
     }
     try {
       _secureFilter.connect(address.host,
                             (address as dynamic)._in_addr,
                             port,
                             is_server,
                             certificateName,
                             requestClientCertificate ||
                                 requireClientCertificate,
                             requireClientCertificate,
-                            sendClientCertificate);
+                            sendClientCertificate,
+                            _protocolsToLengthEncoding(supportedProtocols));
       _secureHandshake();
     } catch (e, s) {
       _reportError(e, s);
     }
   }
 
+  Uint8List _protocolsToLengthEncoding(List<String> protocols) {
+    if (protocols == null || protocols.length == 0) {
+      return new Uint8List(0);
+    }
+
+    // NOTE: The NSS library will treat the first protocol as the fallback
+    // protocol. The remaining ones are sorted in priority order.
+    // We therefore put the protocol least desired at the front, to make it the
+    // default.
+    List<int> bytes = [];

[Søren Gjesse, 2014/10/03 15:47:04]

You could allocate a 255 byte Uint8List here and return a view on the actual
data, or loop twice and first calculate the length (maybe with a fastcase for
ASCII). That will avoid the growable integer list.

[kustermann, 2014/11/07 16:20:03]

Did something similar. Had some discussions with Lasse about it and he  made a
faster implementation :)

+    _addProtocolBytes(bytes, protocols.last);
+    for (var i = 0; i < protocols.length -1; i++) {
+      _addProtocolBytes(bytes, protocols[i]);
+    }
+
+    return new Uint8List.fromList(bytes);
+  }
+
+  void _addProtocolBytes(List<int> outBytes, String protocol) {
+    var protocolBytes = UTF8.encode(protocol);
+    var len = protocolBytes.length;
+
+    if (len > 255) {
+      throw new ArgumentError(
+          'Cannot support protocols with more than 255 characters');
+    }
+    outBytes.add(len);
+    outBytes.addAll(protocolBytes);
+  }
+
   StreamSubscription listen(void onData(RawSocketEvent data),
                             {Function onError,
                              void onDone(),
                              bool cancelOnError}) {
     _sendWriteEvent();
     return _stream.listen(onData,
                           onError: onError,
                           onDone: onDone,
                           cancelOnError: cancelOnError);
   }
@@ skipping 157 matching lines @@
         _secureFilter.buffers[WRITE_PLAINTEXT].write(data, offset, bytes);
     if (written > 0) {
       _filterStatus.writeEmpty = false;
     }
     _scheduleFilter();
     return written;
   }
 
   X509Certificate get peerCertificate => _secureFilter.peerCertificate;
 
+  String get selectedProtocol => _selectedProtocol;
+
   bool _onBadCertificateWrapper(X509Certificate certificate) {
     if (onBadCertificate == null) return false;
     var result = onBadCertificate(certificate);
     if (result is bool) return result;
     throw new ArgumentError(
         "onBadCertificate callback returned non-boolean $result");
   }
 
   bool setOption(SocketOption option, bool enabled) {
     if (_socket == null) return false;
@@ skipping 93 matching lines @@
                               requireClientCertificate);
     _status = HANDSHAKE;
     _filterStatus.writeEmpty = false;
     _scheduleFilter();
   }
 
   void _secureHandshakeCompleteHandler() {
     _status = CONNECTED;
     if (_connectPending) {
       _connectPending = false;
-      // We don't want user code to run synchronously in this callback.
-      Timer.run(() => _handshakeComplete.complete(this));
+      try {
+        _selectedProtocol = _secureFilter.selectedProtocol();
+        // We don't want user code to run synchronously in this callback.
+        Timer.run(() => _handshakeComplete.complete(this));
+      } catch (error, stack) {
+        _handshakeComplete.completeError(error, stack);
+      }
     }
   }
 
   void _onPauseStateChange() {
     if (_controller.isPaused) {
       _pauseCount++;
     } else {
       _pauseCount--;
       if (_pauseCount == 0) {
         _scheduleReadEvent();
@@ skipping 38 matching lines @@
         if (_filterStatus.writeEmpty && _closedWrite && !_socketClosedWrite) {
           // Checks for and handles all cases of partially closed sockets.
           shutdown(SocketDirection.SEND);
           if (_status == CLOSED) return;
         }
         if (_filterStatus.readEmpty && _socketClosedRead && !_closedRead) {
           if (_status == HANDSHAKE) {
             _secureFilter.handshake();
             if (_status == HANDSHAKE) {
               throw new HandshakeException(
-                  'Connection terminated during handshake');
+                  'xConnection terminated during handshake');

[Søren Gjesse, 2014/10/03 15:47:04]

Accidental edit.

[kustermann, 2014/11/07 16:20:03]

Done.

             }
           }
           _closeHandler();
         }
         if (_status == CLOSED) return;
         if (_filterStatus.progress) {
           _filterPending = true;
           if (_filterStatus.writePlaintextNoLongerFull) _sendWriteEvent();
           if (_filterStatus.readEncryptedNoLongerFull) _readSocket();
           if (_filterStatus.writeEncryptedNoLongerEmpty) _writeSocket();
@@ skipping 280 matching lines @@
 abstract class _SecureFilter {
   external factory _SecureFilter();
 
   void connect(String hostName,
                Uint8List addr,
                int port,
                bool is_server,
                String certificateName,
                bool requestClientCertificate,
                bool requireClientCertificate,
-               bool sendClientCertificate);
+               bool sendClientCertificate,
+               Uint8List protocols);
   void destroy();
   void handshake();
   void rehandshake();
   void renegotiate(bool useSessionCache,
                    bool requestClientCertificate,
                    bool requireClientCertificate);
   void init();
   X509Certificate get peerCertificate;
   int processBuffer(int bufferIndex);
   void registerBadCertificateCallback(Function callback);
@@ skipping 47 matching lines @@
 /**
  * An exception that happens in the handshake phase of establishing
  * a secure network connection, when looking up or verifying a
  * certificate.
  */
 class CertificateException extends TlsException {
   const CertificateException([String message = "",
                             OSError osError = null])
      : super._("CertificateException", message, osError);
 }