Support for the ALPN extension of the TLS protocol for Client and Server

dart/sdk/lib/io/secure_socket.dart

 // Copyright (c) 2013, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 part of dart.io;
 
 /**
  * A high-level class for communicating securely over a TCP socket, using
  * TLS and SSL. The [SecureSocket] exposes both a [Stream] and an
  * [IOSink] interface, making it ideal for using together with
@@ skipping 21 matching lines @@
    * The handler receives the [X509Certificate], and can inspect it and
    * decide (or let the user decide) whether to accept
    * the connection or not.  The handler should return true
    * to continue the [SecureSocket] connection.
    */
   static Future<SecureSocket> connect(
       host,
       int port,
       {bool sendClientCertificate: false,
        String certificateName,
-       bool onBadCertificate(X509Certificate certificate)}) {
+       bool onBadCertificate(X509Certificate certificate),
+       List<String> supportedProtocols}) {
     return RawSecureSocket.connect(host,
                                    port,
                                    sendClientCertificate: sendClientCertificate,
                                    certificateName: certificateName,
-                                   onBadCertificate: onBadCertificate)
+                                   onBadCertificate: onBadCertificate,
+                                   supportedProtocols: supportedProtocols)
         .then((rawSocket) => new SecureSocket._(rawSocket));
   }
 
   /**
    * Takes an already connected [socket] and starts client side TLS
    * handshake to make the communication secure. When the returned
    * future completes the [SecureSocket] has completed the TLS
    * handshake. Using this function requires that the other end of the
    * connection is prepared for TLS handshake.
    *
@@ skipping 57 matching lines @@
    *
    * See [SecureServerSocket.bind] for more information on the
    * arguments.
    *
    */
   static Future<SecureSocket> secureServer(
       Socket socket,
       String certificateName,
       {List<int> bufferedData,
        bool requestClientCertificate: false,
-       bool requireClientCertificate: false}) {
+       bool requireClientCertificate: false,
+       List<String> supportedProtocols}) {
     var completer = new Completer();
     (socket as dynamic)._detachRaw()
         .then((detachedRaw) {
           return RawSecureSocket.secureServer(
             detachedRaw[0],
             certificateName,
             subscription: detachedRaw[1],
             bufferedData: bufferedData,
             requestClientCertificate: requestClientCertificate,
-            requireClientCertificate: requireClientCertificate);
+            requireClientCertificate: requireClientCertificate,
+            supportedProtocols: supportedProtocols);
           })
         .then((raw) {
           completer.complete(new SecureSocket._(raw));
         });
     return completer.future;
   }
 
   /**
    * Get the peer certificate for a connected SecureSocket.  If this
    * SecureSocket is the server end of a secure socket connection,
    * [peerCertificate] will return the client certificate, or null, if no
    * client certificate was received.  If it is the client end,
    * [peerCertificate] will return the server's certificate.
    */
   X509Certificate get peerCertificate;
 
   /**
+   * Get the protocol which was selected during protocol negotiation.
+   */
+  String get selectedProtocol;
+
+  /**
    * Renegotiate an existing secure connection, renewing the session keys
    * and possibly changing the connection properties.
    *
    * This repeats the SSL or TLS handshake, with options that allow clearing
    * the session cache and requesting a client certificate.
    */
   void renegotiate({bool useSessionCache: true,
                     bool requestClientCertificate: false,
                     bool requireClientCertificate: false});
 
@@ skipping 75 matching lines @@
    * The handler receives the [X509Certificate], and can inspect it and
    * decide (or let the user decide) whether to accept
    * the connection or not.  The handler should return true
    * to continue the [RawSecureSocket] connection.
    */
   static Future<RawSecureSocket> connect(
       host,
       int port,
       {bool sendClientCertificate: false,
        String certificateName,
-       bool onBadCertificate(X509Certificate certificate)}) {
+       bool onBadCertificate(X509Certificate certificate),
+       List<String> supportedProtocols}) {
     _RawSecureSocket._verifyFields(
         host,
         port,
         certificateName,
         false,
         false,
         false,
         sendClientCertificate,
         onBadCertificate);
     return RawSocket.connect(host, port)
         .then((socket) {
           return secure(socket,
                         sendClientCertificate: sendClientCertificate,
                         certificateName: certificateName,
-                        onBadCertificate: onBadCertificate);
+                        onBadCertificate: onBadCertificate,
+                        supportedProtocols: supportedProtocols);
         });
   }
 
   /**
    * Takes an already connected [socket] and starts client side TLS
    * handshake to make the communication secure. When the returned
    * future completes the [RawSecureSocket] has completed the TLS
    * handshake. Using this function requires that the other end of the
    * connection is prepared for TLS handshake.
    *
@@ skipping 17 matching lines @@
    *
    * See [connect] for more information on the arguments.
    *
    */
   static Future<RawSecureSocket> secure(
       RawSocket socket,
       {StreamSubscription subscription,
        host,
        bool sendClientCertificate: false,
        String certificateName,
-       bool onBadCertificate(X509Certificate certificate)}) {
+       bool onBadCertificate(X509Certificate certificate),
+       List<String> supportedProtocols}) {
     socket.readEventsEnabled = false;
     socket.writeEventsEnabled = false;
     return  _RawSecureSocket.connect(
         host != null ? host : socket.address.host,
         socket.port,
         certificateName,
         is_server: false,
         socket: socket,
         subscription: subscription,
         sendClientCertificate: sendClientCertificate,
-        onBadCertificate: onBadCertificate);
+        onBadCertificate: onBadCertificate,
+        supportedProtocols: supportedProtocols);
   }
 
   /**
    * Takes an already connected [socket] and starts server side TLS
    * handshake to make the communication secure. When the returned
    * future completes the [RawSecureSocket] has completed the TLS
    * handshake. Using this function requires that the other end of the
    * connection is going to start the TLS handshake.
    *
    * If the [socket] already has a subscription, pass the existing
@@ skipping 11 matching lines @@
    * See [RawSecureServerSocket.bind] for more information on the
    * arguments.
    *
    */
   static Future<RawSecureSocket> secureServer(
       RawSocket socket,
       String certificateName,
       {StreamSubscription subscription,
        List<int> bufferedData,
        bool requestClientCertificate: false,
-       bool requireClientCertificate: false}) {
+       bool requireClientCertificate: false,
+       List<String> supportedProtocols}) {
     socket.readEventsEnabled = false;
     socket.writeEventsEnabled = false;
     return _RawSecureSocket.connect(
         socket.address,
         socket.remotePort,
         certificateName,
         is_server: true,
         socket: socket,
         subscription: subscription,
         bufferedData: bufferedData,
         requestClientCertificate: requestClientCertificate,
-        requireClientCertificate: requireClientCertificate);
+        requireClientCertificate: requireClientCertificate,
+        supportedProtocols: supportedProtocols);
   }
 
   /**
    * Renegotiate an existing secure connection, renewing the session keys
    * and possibly changing the connection properties.
    *
    * This repeats the SSL or TLS handshake, with options that allow clearing
    * the session cache and requesting a client certificate.
    */
   void renegotiate({bool useSessionCache: true,
                     bool requestClientCertificate: false,
                     bool requireClientCertificate: false});
 
   /**
    * Get the peer certificate for a connected RawSecureSocket.  If this
    * RawSecureSocket is the server end of a secure socket connection,
    * [peerCertificate] will return the client certificate, or null, if no
    * client certificate was received.  If it is the client end,
    * [peerCertificate] will return the server's certificate.
    */
   X509Certificate get peerCertificate;
+
+  /**
+   * Get the protocol which was selected during protocol negotiation.
+   */
+  String get selectedProtocol;
 }
 
 
 /**
  * X509Certificate represents an SSL certificate, with accessors to
  * get the fields of the certificate.
  */
 class X509Certificate {
   X509Certificate(this.subject,
                   this.issuer,
@@ skipping 64 matching lines @@
   bool _closedRead = false;  // The secure socket has fired an onClosed event.
   bool _closedWrite = false;  // The secure socket has been closed for writing.
   Completer _closeCompleter = new Completer();  // The network socket is gone.
   _FilterStatus _filterStatus = new _FilterStatus();
   bool _connectPending = true;
   bool _filterPending = false;
   bool _filterActive = false;
 
   _SecureFilter _secureFilter = new _SecureFilter();
   int _filterPointer;
+  String _selectedProtocol;
 
   static Future<_RawSecureSocket> connect(
       host,
       int requestedPort,
       String certificateName,
       {bool is_server,
        RawSocket socket,
        StreamSubscription subscription,
        List<int> bufferedData,
        bool requestClientCertificate: false,
        bool requireClientCertificate: false,
        bool sendClientCertificate: false,
-       bool onBadCertificate(X509Certificate certificate)}) {
+       bool onBadCertificate(X509Certificate certificate),
+       List<String> supportedProtocols}) {
     _verifyFields(host, requestedPort, certificateName, is_server,
                  requestClientCertificate, requireClientCertificate,
                  sendClientCertificate, onBadCertificate);
     if (host is InternetAddress) host = host.host;
     var address = socket.address;
     if (host != null) address =  address._cloneWithNewHost(host);
     return new _RawSecureSocket(address,
                                 requestedPort,
                                 certificateName,
                                 is_server,
                                 socket,
                                 subscription,
                                 bufferedData,
                                 requestClientCertificate,
                                 requireClientCertificate,
                                 sendClientCertificate,
-                                onBadCertificate)
+                                onBadCertificate,
+                                supportedProtocols)
         ._handshakeComplete.future;
   }
 
   _RawSecureSocket(
       this.address,
       int requestedPort,
       this.certificateName,
       this.is_server,
       RawSocket this._socket,
       this._socketSubscription,
       this._bufferedData,
       this.requestClientCertificate,
       this.requireClientCertificate,
       this.sendClientCertificate,
-      this.onBadCertificate(X509Certificate certificate)) {
+      this.onBadCertificate(X509Certificate certificate),
+      List<String> supportedProtocols) {
     _controller = new StreamController<RawSocketEvent>(
         sync: true,
         onListen: _onSubscriptionStateChange,
         onPause: _onPauseStateChange,
         onResume: _onPauseStateChange,
         onCancel: _onSubscriptionStateChange);
     _stream = _controller.stream;
     // Throw an ArgumentError if any field is invalid.  After this, all
     // errors will be reported through the future or the stream.
     _secureFilter.init();
@@ skipping 24 matching lines @@
     }
     try {
       _secureFilter.connect(address.host,
                             (address as dynamic)._in_addr,
                             port,
                             is_server,
                             certificateName,
                             requestClientCertificate ||
                                 requireClientCertificate,
                             requireClientCertificate,
-                            sendClientCertificate);
+                            sendClientCertificate,
+                            _protocolsToLengthEncoding(supportedProtocols));
       _secureHandshake();
     } catch (e, s) {
       _reportError(e, s);
     }
   }
 
+  /// Encodes a set of supported protocols for ALPN/NPN usage.
+  ///
+  /// The `protocols` list is expected to contain protocols in descending order
+  /// of preference.
+  ///
+  /// See RFC 7301 (https://tools.ietf.org/html/rfc7301) for the encoding of
+  /// `List<String> protocols`:
+  ///     opaque ProtocolName<1..2^8-1>;
+  ///
+  ///     struct {
+  ///         ProtocolName protocol_name_list<2..2^16-1>
+  ///     } ProtocolNameList;
+  ///
+  /// The encoding of the opaque `ProtocolName<lower..upper>` vector is
+  /// described in RFC 2246: 4.3 Vectors.
+  ///
+  /// Note: Even though this encoding scheme would allow a total
+  /// `ProtocolNameList` length of 65535, this limit cannot be reached. Testing
+  /// showed that more than ~ 65480 bytes will fail to negogiate a protocol.
+  /// We will be conservative and support only messages up to (1<<15) -1 bytes.
+  ///
+  /// Our NSS implementation will support ALPN and NPN transparently. The
+  /// default protocol will be the first in the encoded Uint8List.
+  ///
+  /// NOTE: The NSS library will treat the first protocol as the fallback
+  /// protocol. The remaining ones are sorted in (decreasing) priority order.
+  /// We therefore put the protocol least desired to the front, to make it the
+  /// default.
+  Uint8List _protocolsToLengthEncoding(List<String> protocols) {
+    if (protocols == null || protocols.length == 0) {
+      return new Uint8List(0);
+    }
+    int protocolsLength = protocols.length;
+
+    // Calculate the number of bytes we will need if it is ASCII.
+    int expectedLength = protocolsLength;
+    for (int i = 0; i < protocolsLength; i++) {
+      int length = protocols[i].length;
+      if (length > 0 && length <= 255) {
+        expectedLength += length;
+      } else {
+        throw new ArgumentError(
+            'Length of protocol must be between 1 and 255 (was: $length).');
+      }
+    }
+
+    if (expectedLength >= (1 << 15)) {
+      throw new ArgumentError(
+          'The maximum message length supported is 2^15-1.');
+    }
+
+    // Try encoding the `List<String> protocols` array using fast ASCII path.
+    var bytes = new Uint8List(expectedLength);
+    int bytesOffset = 0;
+    for (int i = 0; i < protocolsLength; i++) {
+      // The last protocol will be encoded as the first/default one in the list.
+      // (i.e. rotate `protocols` by 1 to the right).
+      int index = i;
+      if (index == 0) index = protocols.length;
+      String proto = protocols[index - 1];
+
+      // Add length byte.
+      bytes[bytesOffset++] = proto.length;
+      int bits = 0;
+
+      // Add protocol bytes.
+      for (int j = 0; j < proto.length; j++) {
+        var char = proto.codeUnitAt(j);
+        bits |= char;
+        bytes[bytesOffset++] = char & 0xff;
+      }
+
+      // Go slow case if we have encountered anything non-ascii.
+      if (bits > 0x7f) {
+        return _protocolsToLengthEncodingNonAsciiBailout(protocols);
+      }
+    }
+    return bytes;
+  }
+
+  Uint8List _protocolsToLengthEncodingNonAsciiBailout(List<String> protocols) {
+    void addProtocol(List<int> outBytes, String protocol) {
+      var protocolBytes = UTF8.encode(protocol);
+      var len = protocolBytes.length;
+
+      if (len > 255) {
+        throw new ArgumentError(
+            'Length of protocol must be between 1 and 255 (was: $len)');
+      }
+      // Add length byte.
+      outBytes.add(len);
+
+      // Add protocol bytes.
+      outBytes.addAll(protocolBytes);
+    }
+
+    List<int> bytes = [];
+    addProtocol(bytes, protocols.last);
+    for (var i = 0; i < protocols.length -1; i++) {
+      addProtocol(bytes, protocols[i]);
+    }
+
+    if (bytes.length >= (1 << 15)) {
+      throw new ArgumentError(
+          'The maximum message length supported is 2^15-1.');
+    }
+
+    return new Uint8List.fromList(bytes);
+  }
+
+  void _addProtocolBytes(List<int> outBytes, String protocol) {
+    var protocolBytes = UTF8.encode(protocol);
+    var len = protocolBytes.length;
+
+    if (len > 255) {
+      throw new ArgumentError(
+          'Cannot support protocols with more than 255 characters');
+    }
+    outBytes.add(len);
+    outBytes.addAll(protocolBytes);
+  }
+
   StreamSubscription listen(void onData(RawSocketEvent data),
                             {Function onError,
                              void onDone(),
                              bool cancelOnError}) {
     _sendWriteEvent();
     return _stream.listen(onData,
                           onError: onError,
                           onDone: onDone,
                           cancelOnError: cancelOnError);
   }
@@ skipping 157 matching lines @@
         _secureFilter.buffers[WRITE_PLAINTEXT].write(data, offset, bytes);
     if (written > 0) {
       _filterStatus.writeEmpty = false;
     }
     _scheduleFilter();
     return written;
   }
 
   X509Certificate get peerCertificate => _secureFilter.peerCertificate;
 
+  String get selectedProtocol => _selectedProtocol;
+
   bool _onBadCertificateWrapper(X509Certificate certificate) {
     if (onBadCertificate == null) return false;
     var result = onBadCertificate(certificate);
     if (result is bool) return result;
     throw new ArgumentError(
         "onBadCertificate callback returned non-boolean $result");
   }
 
   bool setOption(SocketOption option, bool enabled) {
     if (_socket == null) return false;
@@ skipping 93 matching lines @@
                               requireClientCertificate);
     _status = HANDSHAKE;
     _filterStatus.writeEmpty = false;
     _scheduleFilter();
   }
 
   void _secureHandshakeCompleteHandler() {
     _status = CONNECTED;
     if (_connectPending) {
       _connectPending = false;
-      // We don't want user code to run synchronously in this callback.
-      Timer.run(() => _handshakeComplete.complete(this));
+      try {
+        _selectedProtocol = _secureFilter.selectedProtocol();
+        // We don't want user code to run synchronously in this callback.
+        Timer.run(() => _handshakeComplete.complete(this));
+      } catch (error, stack) {
+        _handshakeComplete.completeError(error, stack);
+      }
     }
   }
 
   void _onPauseStateChange() {
     if (_controller.isPaused) {
       _pauseCount++;
     } else {
       _pauseCount--;
       if (_pauseCount == 0) {
         _scheduleReadEvent();
@@ skipping 339 matching lines @@
 abstract class _SecureFilter {
   external factory _SecureFilter();
 
   void connect(String hostName,
                Uint8List addr,
                int port,
                bool is_server,
                String certificateName,
                bool requestClientCertificate,
                bool requireClientCertificate,
-               bool sendClientCertificate);
+               bool sendClientCertificate,
+               Uint8List protocols);
   void destroy();
   void handshake();
   void rehandshake();
   void renegotiate(bool useSessionCache,
                    bool requestClientCertificate,
                    bool requireClientCertificate);
   void init();
   X509Certificate get peerCertificate;
   int processBuffer(int bufferIndex);
   void registerBadCertificateCallback(Function callback);
@@ skipping 47 matching lines @@
 /**
  * An exception that happens in the handshake phase of establishing
  * a secure network connection, when looking up or verifying a
  * certificate.
  */
 class CertificateException extends TlsException {
   const CertificateException([String message = "",
                             OSError osError = null])
      : super._("CertificateException", message, osError);
 }