Support for the ALPN extension of the TLS protocol for Client and Server

dart/runtime/bin/secure_socket.cc

 // Copyright (c) 2012, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 #include "bin/secure_socket.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <sys/stat.h>
 #include <stdio.h>
@@ skipping 42 matching lines @@
   PRErrorCode error_code = PR_GetError();
   const char* error_message = PR_ErrorToString(error_code, PR_LANGUAGE_EN);
   OSError os_error_struct(error_code, error_message, OSError::kNSS);
   Dart_Handle os_error = DartUtils::NewDartOSError(&os_error_struct);
   Dart_Handle exception =
       DartUtils::NewDartIOException(exception_type, message, os_error);
   if (free_message) {
     free(const_cast<char*>(message));
   }
   Dart_ThrowException(exception);
+  UNREACHABLE();
 }
 
 
 static void ThrowCertificateException(const char* format,
                                       const char* certificate_name) {
   int length = strlen(certificate_name);
   length += strlen(format);
   char* message = reinterpret_cast<char*>(malloc(length + 1));
   if (message == NULL) {
     FATAL("Out of memory formatting CertificateException for throwing");
@@ skipping 41 matching lines @@
   Dart_Handle port_object = ThrowIfError(Dart_GetNativeArgument(args, 3));
   bool is_server = DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 4));
   Dart_Handle certificate_name_object =
       ThrowIfError(Dart_GetNativeArgument(args, 5));
   bool request_client_certificate =
       DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 6));
   bool require_client_certificate =
       DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 7));
   bool send_client_certificate =
       DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 8));
+  Dart_Handle protocols_handle =
+      ThrowIfError(Dart_GetNativeArgument(args, 9));
 
   const char* host_name = NULL;
   // TODO(whesse): Is truncating a Dart string containing \0 what we want?
   ThrowIfError(Dart_StringToCString(host_name_object, &host_name));
 
   RawAddr raw_addr;
   SocketAddress::GetSockAddr(host_sockaddr_storage_object, &raw_addr);
 
   int64_t port;
   if (!DartUtils::GetInt64Value(port_object, &port)) {
     FATAL("The range of port_object was checked in Dart - it cannot fail here");
   }
 
   const char* certificate_name = NULL;
   if (Dart_IsString(certificate_name_object)) {
     ThrowIfError(Dart_StringToCString(certificate_name_object,
                                       &certificate_name));
   }
   // If this is a server connection, it must have a certificate to connect with.
   ASSERT(!is_server || certificate_name != NULL);
 
+  // The protocols_handle is guaranteed to be a valid Uint8List.
+  // It will have the correct length encoding of the protocols array.
+  ASSERT(!Dart_IsNull(protocols_handle));
+
   GetFilter(args)->Connect(host_name,
                            &raw_addr,
                            static_cast<int>(port),
                            is_server,
                            certificate_name,
                            request_client_certificate,
                            require_client_certificate,
-                           send_client_certificate);
+                           send_client_certificate,
+                           protocols_handle);
 }
 
 
 void FUNCTION_NAME(SecureSocket_Destroy)(Dart_NativeArguments args) {
   SSLFilter* filter = GetFilter(args);
   SetFilter(args, NULL);
   filter->Destroy();
   delete filter;
 }
 
 
 void FUNCTION_NAME(SecureSocket_Handshake)(Dart_NativeArguments args) {
   GetFilter(args)->Handshake();
 }
 
 
+void FUNCTION_NAME(SecureSocket_GetSelectedProtocol)(
+    Dart_NativeArguments args) {
+  GetFilter(args)->GetSelectedProtocol(args);
+}
+
+
 void FUNCTION_NAME(SecureSocket_Renegotiate)(Dart_NativeArguments args) {
   bool use_session_cache =
       DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 1));
   bool request_client_certificate =
       DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 2));
   bool require_client_certificate =
       DartUtils::GetBooleanValue(Dart_GetNativeArgument(args, 3));
   GetFilter(args)->Renegotiate(use_session_cache,
                                request_client_certificate,
                                require_client_certificate);
@@ skipping 472 matching lines @@
 }
 
 
 void SSLFilter::Connect(const char* host_name,
                         RawAddr* raw_addr,
                         int port,
                         bool is_server,
                         const char* certificate_name,
                         bool request_client_certificate,
                         bool require_client_certificate,
-                        bool send_client_certificate) {
+                        bool send_client_certificate,
+                        Dart_Handle protocols_handle) {
   is_server_ = is_server;
   if (in_handshake_) {
     FATAL("Connect called twice on the same _SecureFilter.");
   }
 
   if (!is_server && certificate_name != NULL) {
     client_certificate_name_ = strdup(certificate_name);
   }
 
   filter_ = SSL_ImportFD(NULL, filter_);
   if (filter_ == NULL) {
     ThrowPRException("TlsException", "Failed SSL_ImportFD call");
   }
 
+
+  SECStatus status;
+
+  // Enable ALPN (application layer protocol negogiation) if the caller provides
+  // a valid list of supported protocols.
+  {
+    Dart_TypedData_Type protocols_type;
+    uint8_t* protocol_string = NULL;
+    intptr_t protocol_string_len = 0;
+
+    Dart_Handle result = Dart_TypedDataAcquireData(
+        protocols_handle,
+        &protocols_type,
+        reinterpret_cast<void**>(&protocol_string),
+        &protocol_string_len);
+    if (Dart_IsError(result)) {
+      Dart_PropagateError(result);
+    }
+
+    if (protocols_type != Dart_TypedData_kUint8) {
+      Dart_TypedDataReleaseData(protocols_handle);
+      Dart_PropagateError(Dart_NewApiError(
+          "Unexpected type for protocols (expected valid Uint8List)."));
+    }
+
+    if (protocol_string_len > 0) {
+      status = SSL_OptionSet(filter_, SSL_ENABLE_ALPN, PR_TRUE);
+      ASSERT(status == SECSuccess);
+
+      status = SSL_SetNextProtoNego(filter_,
+                                    protocol_string,
+                                    protocol_string_len);
+      ASSERT(status == SECSuccess);
+    }
+
+    Dart_TypedDataReleaseData(protocols_handle);
+  }
+
   SSLVersionRange vrange;
   vrange.min = SSL_LIBRARY_VERSION_3_0;
   vrange.max = SSL_LIBRARY_VERSION_TLS_1_2;
   SSL_VersionRangeSet(filter_, &vrange);
 
-  SECStatus status;
   if (is_server) {
     CERTCertificate* certificate = NULL;
     if (strstr(certificate_name, "CN=") != NULL) {
       // Look up certificate using the distinguished name (DN) certificate_name.
       CERTCertDBHandle* certificate_database = CERT_GetDefaultCertDB();
       if (certificate_database == NULL) {
         ThrowPRException("CertificateException",
                          "Certificate database cannot be loaded");
       }
       certificate = CERT_FindCertByNameString(certificate_database,
@@ skipping 21 matching lines @@
       CERT_DestroyCertificate(certificate);
       if (PR_GetError() == -8177) {
         ThrowPRException("CertificateException",
                          "Certificate database password incorrect");
       } else {
         ThrowCertificateException(
             "Cannot find private key for certificate %s",
             certificate_name);
       }
     }
+
     // kt_rsa (key type RSA) is an enum constant from the NSS libraries.
     // TODO(whesse): Allow different key types.
     status = SSL_ConfigSecureServer(filter_, certificate, key, kt_rsa);
     CERT_DestroyCertificate(certificate);
     SECKEY_DestroyPrivateKey(key);
     if (status != SECSuccess) {
       ThrowCertificateException(
           "Failed SSL_ConfigSecureServer call with certificate %s",
           certificate_name);
     }
@@ skipping 83 matching lines @@
         ThrowPRException("HandshakeException",
                          "Handshake error in server");
       } else {
         ThrowPRException("HandshakeException",
                          "Handshake error in client");
       }
     }
   }
 }
 
+void SSLFilter::GetSelectedProtocol(Dart_NativeArguments args) {
+  // Space for the selected protocol.
+  const unsigned int kBufferSize = 256;
+  unsigned char buffer[kBufferSize + 1];
+
+  unsigned int outLength = 0;
+  SSLNextProtoState outState;
+
+  SECStatus status = SSL_GetNextProto(
+      filter_, &outState, buffer, &outLength, kBufferSize);
+  if (status == SECSuccess) {
+    if (outState == SSL_NEXT_PROTO_SELECTED ||
+        outState == SSL_NEXT_PROTO_NEGOTIATED) {
+      ASSERT(outLength <= kBufferSize);
+      buffer[outLength] = '\0';
+      Dart_Handle protocol_string = DartUtils::NewString(
+          reinterpret_cast<const char *>(&buffer[0]));
+      if (Dart_IsError(protocol_string)) {
+        ThrowPRException("HandshakeException",
+                         "Protocol selected via ALPN, unable to get protocol "
+                         "string.");
+      } else {
+        Dart_SetReturnValue(args, protocol_string);
+      }
+    } else if (outState == SSL_NEXT_PROTO_NO_OVERLAP) {
+      ThrowPRException("HandshakeException",
+                       "Client and Server could not agree upon a protocol");
+    } else if (outState == SSL_NEXT_PROTO_NO_SUPPORT) {
+      // A value of `null` denotes that the client did not support protocol
+      // negogiation.
+      Dart_SetReturnValue(args, Dart_Null());
+    } else {
+      UNREACHABLE();
+    }
+  } else {
+    ThrowPRException("HandshakeException",
+                     "Could not retrieve selected protocol via ALPN");
+  }
+}
+
 
 void SSLFilter::Renegotiate(bool use_session_cache,
                             bool request_client_certificate,
                             bool require_client_certificate) {
   SECStatus status;
   // The SSL_REQUIRE_CERTIFICATE option only takes effect if the
   // SSL_REQUEST_CERTIFICATE option is also set, so set it.
   request_client_certificate =
       request_client_certificate || require_client_certificate;
 
@@ skipping 124 matching lines @@
     }
     if (bytes_processed > 0) {
       memio_PutWriteResult(secret, bytes_processed);
     }
   }
   return bytes_processed;
 }
 
 }  // namespace bin
 }  // namespace dart