puma 2.0.0.b5 → 5.0.0.beta1

data/ext/puma_http11/org/jruby/puma/MiniSSL.java

@@ -2,29 +2,39 @@ package org.jruby.puma;
 
 import org.jruby.Ruby;
 import org.jruby.RubyClass;
-import org.jruby.RubyHash;
 import org.jruby.RubyModule;
-import org.jruby.RubyNumeric;
 import org.jruby.RubyObject;
 import org.jruby.RubyString;
-
 import org.jruby.anno.JRubyMethod;
-
+import org.jruby.javasupport.JavaEmbedUtils;
 import org.jruby.runtime.Block;
 import org.jruby.runtime.ObjectAllocator;
 import org.jruby.runtime.ThreadContext;
 import org.jruby.runtime.builtin.IRubyObject;
-
-import org.jruby.exceptions.RaiseException;
-
 import org.jruby.util.ByteList;
 
-
-import javax.net.ssl.*;
-import javax.net.ssl.SSLEngineResult.*;
-import java.io.*;
-import java.security.*;
-import java.nio.*;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLEngineResult;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.SSLSession;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.nio.Buffer;
+import java.nio.ByteBuffer;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+
+import static javax.net.ssl.SSLEngineResult.Status;
+import static javax.net.ssl.SSLEngineResult.HandshakeStatus;
 
 public class MiniSSL extends RubyObject {
   private static ObjectAllocator ALLOCATOR = new ObjectAllocator() {
@@ -35,7 +45,7 @@ public class MiniSSL extends RubyObject {
 
   public static void createMiniSSL(Ruby runtime) {
     RubyModule mPuma = runtime.defineModule("Puma");
-    RubyModule ssl =   mPuma.defineModuleUnder("MiniSSL");
+    RubyModule ssl = mPuma.defineModuleUnder("MiniSSL");
 
     mPuma.defineClassUnder("SSLError",
                            runtime.getClass("IOError"),
@@ -45,55 +55,101 @@ public class MiniSSL extends RubyObject {
     eng.defineAnnotatedMethods(MiniSSL.class);
   }
 
-  private Ruby runtime;
-  private SSLContext sslc;
+  /**
+   * Fairly transparent wrapper around {@link java.nio.ByteBuffer} which adds the enhancements we need
+   */
+  private static class MiniSSLBuffer {
+    ByteBuffer buffer;
+
+    private MiniSSLBuffer(int capacity) { buffer = ByteBuffer.allocate(capacity); }
+    private MiniSSLBuffer(byte[] initialContents) { buffer = ByteBuffer.wrap(initialContents); }
+
+    public void clear() { buffer.clear(); }
+    public void compact() { buffer.compact(); }
+    public void flip() { ((Buffer) buffer).flip(); }
+    public boolean hasRemaining() { return buffer.hasRemaining(); }
+    public int position() { return buffer.position(); }
+
+    public ByteBuffer getRawBuffer() {
+      return buffer;
+    }
+
+    /**
+     * Writes bytes to the buffer after ensuring there's room
+     */
+    public void put(byte[] bytes) {
+      if (buffer.remaining() < bytes.length) {
+        resize(buffer.limit() + bytes.length);
+      }
+      buffer.put(bytes);
+    }
+
+    /**
+     * Ensures that newCapacity bytes can be written to this buffer, only re-allocating if necessary
+     */
+    public void resize(int newCapacity) {
+      if (newCapacity > buffer.capacity()) {
+        ByteBuffer dstTmp = ByteBuffer.allocate(newCapacity);
+        flip();
+        dstTmp.put(buffer);
+        buffer = dstTmp;
+      } else {
+        buffer.limit(newCapacity);
+      }
+    }
+
+    /**
+     * Drains the buffer to a ByteList, or returns null for an empty buffer
+     */
+    public ByteList asByteList() {
+      flip();
+      if (!buffer.hasRemaining()) {
+        buffer.clear();
+        return null;
+      }
+
+      byte[] bss = new byte[buffer.limit()];
+
+      buffer.get(bss);
+      buffer.clear();
+      return new ByteList(bss);
+    }
+
+    @Override
+    public String toString() { return buffer.toString(); }
+  }
 
-  private SSLEngine  engine;
+  private SSLEngine engine;
+  private MiniSSLBuffer inboundNetData;
+  private MiniSSLBuffer outboundAppData;
+  private MiniSSLBuffer outboundNetData;
 
-  private ByteBuffer peerAppData;
-  private ByteBuffer peerNetData;
-  private ByteBuffer netData;
-  private ByteBuffer dummy;
-  
   public MiniSSL(Ruby runtime, RubyClass klass) {
     super(runtime, klass);
-
-    this.runtime = runtime;
   }
 
   @JRubyMethod(meta = true)
-  public static IRubyObject server(ThreadContext context, IRubyObject recv, IRubyObject key, IRubyObject cert) {
-      RubyClass klass = (RubyClass) recv;
-      IRubyObject newInstance = klass.newInstance(context,
-          new IRubyObject[] { key, cert },
-          Block.NULL_BLOCK);
+  public static IRubyObject server(ThreadContext context, IRubyObject recv, IRubyObject miniSSLContext) {
+    RubyClass klass = (RubyClass) recv;
 
-      return newInstance;
+    return klass.newInstance(context,
+        new IRubyObject[] { miniSSLContext },
+        Block.NULL_BLOCK);
   }
 
   @JRubyMethod
-  public IRubyObject initialize(IRubyObject key, IRubyObject cert) 
-      throws java.security.KeyStoreException,
-             java.io.FileNotFoundException,
-             java.io.IOException,
-             java.io.FileNotFoundException,
-             java.security.NoSuchAlgorithmException,
-             java.security.KeyManagementException,
-             java.security.cert.CertificateException,
-             java.security.UnrecoverableKeyException
-  {
+  public IRubyObject initialize(ThreadContext threadContext, IRubyObject miniSSLContext)
+      throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyManagementException {
     KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
     KeyStore ts = KeyStore.getInstance(KeyStore.getDefaultType());
 
-    char[] pass = "blahblah".toCharArray();
-
-    ks.load(new FileInputStream(key.convertToString().asJavaString()),
-                                pass);
-    ts.load(new FileInputStream(cert.convertToString().asJavaString()),
-            pass);
+    char[] password = miniSSLContext.callMethod(threadContext, "keystore_pass").convertToString().asJavaString().toCharArray();
+    String keystoreFile = miniSSLContext.callMethod(threadContext, "keystore").convertToString().asJavaString();
+    ks.load(new FileInputStream(keystoreFile), password);
+    ts.load(new FileInputStream(keystoreFile), password);
 
     KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
-    kmf.init(ks, pass);
+    kmf.init(ks, password);
 
     TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
     tmf.init(ts);
@@ -101,189 +157,207 @@ public class MiniSSL extends RubyObject {
     SSLContext sslCtx = SSLContext.getInstance("TLS");
 
     sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
+    engine = sslCtx.createSSLEngine();
 
-    sslc = sslCtx;
-
-    engine = sslc.createSSLEngine();
-    engine.setUseClientMode(false);
-    // engine.setNeedClientAuth(true);
+    String[] protocols;
+    if(miniSSLContext.callMethod(threadContext, "no_tlsv1").isTrue()) {
+        protocols = new String[] { "TLSv1.1", "TLSv1.2" };
+    } else {
+        protocols = new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" };
+    }
 
-    SSLSession session = engine.getSession();
-    peerNetData = ByteBuffer.allocate(session.getPacketBufferSize());
-    peerAppData = ByteBuffer.allocate(session.getApplicationBufferSize());		
-    netData = ByteBuffer.allocate(session.getPacketBufferSize());
-    peerNetData.limit(0);
-    peerAppData.limit(0);
-    netData.limit(0);
-
-    peerNetData.clear();
-    peerAppData.clear();
-    netData.clear();
-
-    dummy = ByteBuffer.allocate(0);
-    
-    return this;
-  }
+    if(miniSSLContext.callMethod(threadContext, "no_tlsv1_1").isTrue()) {
+        protocols = new String[] { "TLSv1.2" };
+    }
 
-  @JRubyMethod
-  public IRubyObject inject(IRubyObject arg) {
-    byte[] bytes = arg.convertToString().getBytes();
+    engine.setEnabledProtocols(protocols);
+    engine.setUseClientMode(false);
 
-    peerNetData.limit(peerNetData.limit() + bytes.length);
+    long verify_mode = miniSSLContext.callMethod(threadContext, "verify_mode").convertToInteger().getLongValue();
+    if ((verify_mode & 0x1) != 0) { // 'peer'
+        engine.setWantClientAuth(true);
+    }
+    if ((verify_mode & 0x2) != 0) { // 'force_peer'
+        engine.setNeedClientAuth(true);
+    }
 
-    log("capacity: " + peerNetData.capacity() + " limit: " + peerNetData.limit());
+    IRubyObject sslCipherListObject = miniSSLContext.callMethod(threadContext, "ssl_cipher_list");
+    if (!sslCipherListObject.isNil()) {
+      String[] sslCipherList = sslCipherListObject.convertToString().asJavaString().split(",");
+      engine.setEnabledCipherSuites(sslCipherList);
+    }
 
-    peerNetData.put(bytes);
+    SSLSession session = engine.getSession();
+    inboundNetData = new MiniSSLBuffer(session.getPacketBufferSize());
+    outboundAppData = new MiniSSLBuffer(session.getApplicationBufferSize());
+    outboundAppData.flip();
+    outboundNetData = new MiniSSLBuffer(session.getPacketBufferSize());
 
-    log("netData: " + peerNetData.position() + "/" + peerAppData.limit());
     return this;
   }
 
   @JRubyMethod
-  public IRubyObject read() throws javax.net.ssl.SSLException, Exception {
-    peerAppData.clear();
-    peerNetData.flip();
-    SSLEngineResult res;
-
-    log("available read: " + peerNetData.position() + "/ " + peerNetData.limit());
-
-    if(!peerNetData.hasRemaining()) {
-      return getRuntime().getNil();
-    }
-
-    do {
-      res = engine.unwrap(peerNetData, peerAppData);
-    } while(res.getStatus() == SSLEngineResult.Status.OK &&
-        res.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_UNWRAP &&
-        res.bytesProduced() == 0);
-
-    log("read: ", res);
-
-    if(peerNetData.hasRemaining()) {
-      log("STILL HAD peerNetData!");
+  public IRubyObject inject(IRubyObject arg) {
+    try {
+      byte[] bytes = arg.convertToString().getBytes();
+      inboundNetData.put(bytes);
+      return this;
+    } catch (Exception e) {
+      e.printStackTrace();
+      throw new RuntimeException(e);
     }
+  }
 
-    peerNetData.position(0);
-    peerNetData.limit(0);
-
-    HandshakeStatus hsStatus = runDelegatedTasks(res, engine);
+  private enum SSLOperation {
+    WRAP,
+    UNWRAP
+  }
 
-    if(res.getStatus() == SSLEngineResult.Status.BUFFER_UNDERFLOW) {
-      return getRuntime().getNil();
-    }
+  private SSLEngineResult doOp(SSLOperation sslOp, MiniSSLBuffer src, MiniSSLBuffer dst) throws SSLException {
+    SSLEngineResult res = null;
+    boolean retryOp = true;
+    while (retryOp) {
+      switch (sslOp) {
+        case WRAP:
+          res = engine.wrap(src.getRawBuffer(), dst.getRawBuffer());
+          break;
+        case UNWRAP:
+          res = engine.unwrap(src.getRawBuffer(), dst.getRawBuffer());
+          break;
+        default:
+          throw new IllegalStateException("Unknown SSLOperation: " + sslOp);
+      }
 
-    if(hsStatus == HandshakeStatus.NEED_WRAP) {
-      netData.clear();
-      log("netData: " + netData.limit());
-      engine.wrap(dummy, netData);
-      return getRuntime().getNil();
+      switch (res.getStatus()) {
+        case BUFFER_OVERFLOW:
+          // increase the buffer size to accommodate the overflowing data
+          int newSize = Math.max(engine.getSession().getPacketBufferSize(), engine.getSession().getApplicationBufferSize());
+          dst.resize(newSize + dst.position());
+          // retry the operation
+          retryOp = true;
+          break;
+        case BUFFER_UNDERFLOW:
+          // need to wait for more data to come in before we retry
+          retryOp = false;
+          break;
+        default:
+          // other cases are OK and CLOSED.  We're done here.
+          retryOp = false;
+      }
     }
 
-    if(hsStatus == HandshakeStatus.NEED_UNWRAP) {
-      return getRuntime().getNil();
-
-      // log("peerNet: " + peerNetData.position() + "/" + peerNetData.limit());
-      // log("peerApp: " + peerAppData.position() + "/" + peerAppData.limit());
-
-      // peerNetData.compact();
-
-      // log("peerNet: " + peerNetData.position() + "/" + peerNetData.limit());
-        // do {
-          // res = engine.unwrap(peerNetData, peerAppData);
-        // } while(res.getStatus() == SSLEngineResult.Status.OK &&
-            // res.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_UNWRAP &&
-            // res.bytesProduced() == 0);
-      // return getRuntime().getNil();
+    // after each op, run any delegated tasks if needed
+    if(engine.getHandshakeStatus() == HandshakeStatus.NEED_TASK) {
+      Runnable runnable;
+      while ((runnable = engine.getDelegatedTask()) != null) {
+        runnable.run();
+      }
     }
 
-    // if(peerAppData.position() == 0 && 
-        // res.getStatus() == SSLEngineResult.Status.OK &&
-        // peerNetData.hasRemaining()) {
-      // res = engine.unwrap(peerNetData, peerAppData);
-    // }
-
-    byte[] bss = new byte[peerAppData.limit()];
-
-    peerAppData.get(bss);
-
-    RubyString str = getRuntime().newString("");
-    str.setValue(new ByteList(bss));
-
-    return str;
+    return res;
   }
 
-  private static HandshakeStatus runDelegatedTasks(SSLEngineResult result,
-      SSLEngine engine) throws Exception {
+  @JRubyMethod
+  public IRubyObject read() throws Exception {
+    try {
+      inboundNetData.flip();
 
-    HandshakeStatus hsStatus = result.getHandshakeStatus();
+      if(!inboundNetData.hasRemaining()) {
+        return getRuntime().getNil();
+      }
 
-    if(hsStatus == HandshakeStatus.NEED_TASK) {
-      Runnable runnable;
-      while ((runnable = engine.getDelegatedTask()) != null) {
-        log("\trunning delegated task...");
-        runnable.run();
+      MiniSSLBuffer inboundAppData = new MiniSSLBuffer(engine.getSession().getApplicationBufferSize());
+      doOp(SSLOperation.UNWRAP, inboundNetData, inboundAppData);
+
+      HandshakeStatus handshakeStatus = engine.getHandshakeStatus();
+      boolean done = false;
+      while (!done) {
+        switch (handshakeStatus) {
+          case NEED_WRAP:
+            doOp(SSLOperation.WRAP, inboundAppData, outboundNetData);
+            break;
+          case NEED_UNWRAP:
+            SSLEngineResult res = doOp(SSLOperation.UNWRAP, inboundNetData, inboundAppData);
+            if (res.getStatus() == Status.BUFFER_UNDERFLOW) {
+              // need more data before we can shake more hands
+              done = true;
+            }
+            break;
+          default:
+            done = true;
+        }
+        handshakeStatus = engine.getHandshakeStatus();
       }
-      hsStatus = engine.getHandshakeStatus();
-      if (hsStatus == HandshakeStatus.NEED_TASK) {
-        throw new Exception(
-            "handshake shouldn't need additional tasks");
+
+      if (inboundNetData.hasRemaining()) {
+        inboundNetData.compact();
+      } else {
+        inboundNetData.clear();
       }
-      log("\tnew HandshakeStatus: " + hsStatus);
-    }
 
-    return hsStatus;
-  }
-  
-
-  private static void log(String str, SSLEngineResult result) {
-    System.out.println("The format of the SSLEngineResult is: \n" +
-        "\t\"getStatus() / getHandshakeStatus()\" +\n" +
-        "\t\"bytesConsumed() / bytesProduced()\"\n");
-
-    HandshakeStatus hsStatus = result.getHandshakeStatus();
-    log(str +
-        result.getStatus() + "/" + hsStatus + ", " +
-        result.bytesConsumed() + "/" + result.bytesProduced() +
-        " bytes");
-    if (hsStatus == HandshakeStatus.FINISHED) {
-      log("\t...ready for application data");
+      ByteList appDataByteList = inboundAppData.asByteList();
+      if (appDataByteList == null) {
+        return getRuntime().getNil();
+      }
+
+      RubyString str = getRuntime().newString("");
+      str.setValue(appDataByteList);
+      return str;
+    } catch (Exception e) {
+      throw getRuntime().newEOFError(e.getMessage());
     }
   }
 
-  private static void log(String str) {
-    System.out.println(str);
+  @JRubyMethod
+  public IRubyObject write(IRubyObject arg) {
+    try {
+      byte[] bls = arg.convertToString().getBytes();
+      outboundAppData = new MiniSSLBuffer(bls);
+
+      return getRuntime().newFixnum(bls.length);
+    } catch (Exception e) {
+      e.printStackTrace();
+      throw new RuntimeException(e);
+    }
   }
-  
-  
 
   @JRubyMethod
-  public IRubyObject write(IRubyObject arg) throws javax.net.ssl.SSLException {
-    log("write from: " + netData.position());
+  public IRubyObject extract() throws SSLException {
+    try {
+      ByteList dataByteList = outboundNetData.asByteList();
+      if (dataByteList != null) {
+        RubyString str = getRuntime().newString("");
+        str.setValue(dataByteList);
+        return str;
+      }
+
+      if (!outboundAppData.hasRemaining()) {
+        return getRuntime().getNil();
+      }
 
-    byte[] bls = arg.convertToString().getBytes();
-    ByteBuffer src = ByteBuffer.wrap(bls);
+      outboundNetData.clear();
+      doOp(SSLOperation.WRAP, outboundAppData, outboundNetData);
+      dataByteList = outboundNetData.asByteList();
+      if (dataByteList == null) {
+        return getRuntime().getNil();
+      }
 
-    SSLEngineResult res = engine.wrap(src, netData);
+      RubyString str = getRuntime().newString("");
+      str.setValue(dataByteList);
 
-    return getRuntime().newFixnum(res.bytesConsumed());
+      return str;
+    } catch (Exception e) {
+      e.printStackTrace();
+      throw new RuntimeException(e);
+    }
   }
 
   @JRubyMethod
-  public IRubyObject extract() {
-    netData.flip();
-
-    if(!netData.hasRemaining()) {
+  public IRubyObject peercert() throws CertificateEncodingException {
+    try {
+      return JavaEmbedUtils.javaToRuby(getRuntime(), engine.getSession().getPeerCertificates()[0].getEncoded());
+    } catch (SSLPeerUnverifiedException ex) {
       return getRuntime().getNil();
     }
-
-    byte[] bss = new byte[netData.limit()];
-
-    netData.get(bss);
-    netData.clear();
-
-    RubyString str = getRuntime().newString("");
-    str.setValue(new ByteList(bss));
-
-    return str;
   }
 }