/*
* Copyright 2017 The Netty Project
*
* The Netty Project licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/
package io.netty.handler.ssl;
import io.netty.buffer.ByteBuf;
import io.netty.buffer.ByteBufAllocator;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.ByteToMessageDecoder;
import io.netty.util.ReferenceCountUtil;
import io.netty.util.internal.ObjectUtil;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import java.util.List;
/**
* {@link OptionalSslHandler} is a utility decoder to support both SSL and non-SSL handlers
* based on the first message received.
*/
public class OptionalSslHandler extends ByteToMessageDecoder {
private final SslContext sslContext;
public OptionalSslHandler(SslContext sslContext) {
this.sslContext = ObjectUtil.checkNotNull(sslContext, "sslContext");
}
@Override
protected void decode(ChannelHandlerContext context, ByteBuf in, List<Object> out) throws Exception {
if (in.readableBytes() < SslUtils.SSL_RECORD_HEADER_LENGTH) {
return;
}
if (SslHandler.isEncrypted(in)) {
handleSsl(context);
} else {
handleNonSsl(context);
}
}
private void handleSsl(ChannelHandlerContext context) {
SslHandler sslHandler = null;
try {
sslHandler = newSslHandler(context, sslContext);
context.pipeline().replace(this, newSslHandlerName(), sslHandler);
sslHandler = null;
} finally {
// Since the SslHandler was not inserted into the pipeline the ownership of the SSLEngine was not
// transferred to the SslHandler.
if (sslHandler != null) {
ReferenceCountUtil.safeRelease(sslHandler.engine());
}
}
}
private void handleNonSsl(ChannelHandlerContext context) {
ChannelHandler handler = newNonSslHandler(context);
if (handler != null) {
context.pipeline().replace(this, newNonSslHandlerName(), handler);
} else {
context.pipeline().remove(this);
}
}
/**
* Optionally specify the SSL handler name, this method may return {@code null}.
* @return the name of the SSL handler.
*/
protected String newSslHandlerName() {
return null;
}
/**
* Override to configure the SslHandler eg. {@link SSLParameters#setEndpointIdentificationAlgorithm(String)}.
* The hostname and port is not known by this method so servers may want to override this method and use the
* {@link SslContext#newHandler(ByteBufAllocator, String, int)} variant.
*
* @param context the {@link ChannelHandlerContext} to use.
* @param sslContext the {@link SSLContext} to use.
* @return the {@link SslHandler} which will replace the {@link OptionalSslHandler} in the pipeline if the
* traffic is SSL.
*/
protected SslHandler newSslHandler(ChannelHandlerContext context, SslContext sslContext) {
return sslContext.newHandler(context.alloc());
}
/**
* Optionally specify the non-SSL handler name, this method may return {@code null}.
* @return the name of the non-SSL handler.
*/
protected String newNonSslHandlerName() {
return null;
}
/**
* Override to configure the ChannelHandler.
* @param context the {@link ChannelHandlerContext} to use.
* @return the {@link ChannelHandler} which will replace the {@link OptionalSslHandler} in the pipeline
* or {@code null} to simply remove the {@link OptionalSslHandler} if the traffic is non-SSL.
*/
protected ChannelHandler newNonSslHandler(ChannelHandlerContext context) {
return null;
}
}