From 1a72454998ec91895648443c176ec41e542903e8 Mon Sep 17 00:00:00 2001 From: Mat Booth Date: Mon, 7 Sep 2020 13:24:30 +0100 Subject: [PATCH 2/5] Remove optional dep conscrypt --- handler/pom.xml | 6 - .../java/io/netty/handler/ssl/Conscrypt.java | 81 -------- .../handler/ssl/ConscryptAlpnSslEngine.java | 196 ------------------ .../JdkAlpnApplicationProtocolNegotiator.java | 8 +- .../java/io/netty/handler/ssl/SslHandler.java | 47 +---- pom.xml | 10 - 6 files changed, 2 insertions(+), 346 deletions(-) delete mode 100644 handler/src/main/java/io/netty/handler/ssl/Conscrypt.java delete mode 100644 handler/src/main/java/io/netty/handler/ssl/ConscryptAlpnSslEngine.java diff --git a/handler/pom.xml b/handler/pom.xml index c8e26119bd..378aeda2fe 100644 --- a/handler/pom.xml +++ b/handler/pom.xml @@ -81,12 +81,6 @@ alpn-api true - - ${conscrypt.groupId} - ${conscrypt.artifactId} - ${conscrypt.classifier} - true - org.mockito mockito-core diff --git a/handler/src/main/java/io/netty/handler/ssl/Conscrypt.java b/handler/src/main/java/io/netty/handler/ssl/Conscrypt.java deleted file mode 100644 index d2f015f90f..0000000000 --- a/handler/src/main/java/io/netty/handler/ssl/Conscrypt.java +++ /dev/null @@ -1,81 +0,0 @@ -/* - * Copyright 2017 The Netty Project - * - * The Netty Project licenses this file to you under the Apache License, - * version 2.0 (the "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - * License for the specific language governing permissions and limitations - * under the License. - */ -package io.netty.handler.ssl; - -import io.netty.util.internal.PlatformDependent; - -import javax.net.ssl.SSLEngine; -import java.lang.reflect.InvocationTargetException; -import java.lang.reflect.Method; - -/** - * Contains methods that can be used to detect if conscrypt is usable. - */ -final class Conscrypt { - // This class exists to avoid loading other conscrypt related classes using features only available in JDK8+, - // because we need to maintain JDK6+ runtime compatibility. - private static final Method IS_CONSCRYPT_SSLENGINE = loadIsConscryptEngine(); - private static final boolean CAN_INSTANCE_PROVIDER = canInstanceProvider(); - - private static Method loadIsConscryptEngine() { - try { - Class conscryptClass = Class.forName("org.conscrypt.Conscrypt", true, - ConscryptAlpnSslEngine.class.getClassLoader()); - return conscryptClass.getMethod("isConscrypt", SSLEngine.class); - } catch (Throwable ignore) { - // Conscrypt was not loaded. - return null; - } - } - - private static boolean canInstanceProvider() { - try { - Class providerClass = Class.forName("org.conscrypt.OpenSSLProvider", true, - ConscryptAlpnSslEngine.class.getClassLoader()); - providerClass.newInstance(); - return true; - } catch (Throwable ignore) { - return false; - } - } - - /** - * Indicates whether or not conscrypt is available on the current system. - */ - static boolean isAvailable() { - return CAN_INSTANCE_PROVIDER && IS_CONSCRYPT_SSLENGINE != null && - ((PlatformDependent.javaVersion() >= 8 && - // Only works on Java14 and earlier for now - // See https://github.com/google/conscrypt/issues/838 - PlatformDependent.javaVersion() < 15) || PlatformDependent.isAndroid()); - } - - static boolean isEngineSupported(SSLEngine engine) { - return isAvailable() && isConscryptEngine(engine); - } - - private static boolean isConscryptEngine(SSLEngine engine) { - try { - return (Boolean) IS_CONSCRYPT_SSLENGINE.invoke(null, engine); - } catch (IllegalAccessException ignore) { - return false; - } catch (InvocationTargetException ex) { - throw new RuntimeException(ex); - } - } - - private Conscrypt() { } -} diff --git a/handler/src/main/java/io/netty/handler/ssl/ConscryptAlpnSslEngine.java b/handler/src/main/java/io/netty/handler/ssl/ConscryptAlpnSslEngine.java deleted file mode 100644 index d9767a7106..0000000000 --- a/handler/src/main/java/io/netty/handler/ssl/ConscryptAlpnSslEngine.java +++ /dev/null @@ -1,196 +0,0 @@ -/* - * Copyright 2017 The Netty Project - * - * The Netty Project licenses this file to you under the Apache License, - * version 2.0 (the "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - * License for the specific language governing permissions and limitations - * under the License. - */ -package io.netty.handler.ssl; - -import static io.netty.handler.ssl.SslUtils.toSSLHandshakeException; -import static io.netty.util.internal.ObjectUtil.checkNotNull; -import static java.lang.Math.min; - -import io.netty.buffer.ByteBuf; -import io.netty.buffer.ByteBufAllocator; -import io.netty.handler.ssl.JdkApplicationProtocolNegotiator.ProtocolSelectionListener; -import io.netty.handler.ssl.JdkApplicationProtocolNegotiator.ProtocolSelector; -import java.nio.ByteBuffer; -import java.util.Collections; -import java.util.LinkedHashSet; -import java.util.List; -import javax.net.ssl.SSLEngine; -import javax.net.ssl.SSLEngineResult; -import javax.net.ssl.SSLException; - -import io.netty.util.internal.SystemPropertyUtil; -import org.conscrypt.AllocatedBuffer; -import org.conscrypt.BufferAllocator; -import org.conscrypt.Conscrypt; -import org.conscrypt.HandshakeListener; - -/** - * A {@link JdkSslEngine} that uses the Conscrypt provider or SSL with ALPN. - */ -abstract class ConscryptAlpnSslEngine extends JdkSslEngine { - private static final boolean USE_BUFFER_ALLOCATOR = SystemPropertyUtil.getBoolean( - "io.netty.handler.ssl.conscrypt.useBufferAllocator", true); - - static ConscryptAlpnSslEngine newClientEngine(SSLEngine engine, ByteBufAllocator alloc, - JdkApplicationProtocolNegotiator applicationNegotiator) { - return new ClientEngine(engine, alloc, applicationNegotiator); - } - - static ConscryptAlpnSslEngine newServerEngine(SSLEngine engine, ByteBufAllocator alloc, - JdkApplicationProtocolNegotiator applicationNegotiator) { - return new ServerEngine(engine, alloc, applicationNegotiator); - } - - private ConscryptAlpnSslEngine(SSLEngine engine, ByteBufAllocator alloc, List protocols) { - super(engine); - - // Configure the Conscrypt engine to use Netty's buffer allocator. This is a trade-off of memory vs - // performance. - // - // If no allocator is provided, the engine will internally allocate a direct buffer of max packet size in - // order to optimize JNI calls (this happens the first time it is provided a non-direct buffer from the - // application). - // - // Alternatively, if an allocator is provided, no internal buffer will be created and direct buffers will be - // retrieved from the allocator on-demand. - if (USE_BUFFER_ALLOCATOR) { - Conscrypt.setBufferAllocator(engine, new BufferAllocatorAdapter(alloc)); - } - - // Set the list of supported ALPN protocols on the engine. - Conscrypt.setApplicationProtocols(engine, protocols.toArray(new String[0])); - } - - /** - * Calculates the maximum size of the encrypted output buffer required to wrap the given plaintext bytes. Assumes - * as a worst case that there is one TLS record per buffer. - * - * @param plaintextBytes the number of plaintext bytes to be wrapped. - * @param numBuffers the number of buffers that the plaintext bytes are spread across. - * @return the maximum size of the encrypted output buffer required for the wrap operation. - */ - final int calculateOutNetBufSize(int plaintextBytes, int numBuffers) { - // Assuming a max of one frame per component in a composite buffer. - long maxOverhead = (long) Conscrypt.maxSealOverhead(getWrappedEngine()) * numBuffers; - // TODO(nmittler): update this to use MAX_ENCRYPTED_PACKET_LENGTH instead of Integer.MAX_VALUE - return (int) min(Integer.MAX_VALUE, plaintextBytes + maxOverhead); - } - - final SSLEngineResult unwrap(ByteBuffer[] srcs, ByteBuffer[] dests) throws SSLException { - return Conscrypt.unwrap(getWrappedEngine(), srcs, dests); - } - - private static final class ClientEngine extends ConscryptAlpnSslEngine { - private final ProtocolSelectionListener protocolListener; - - ClientEngine(SSLEngine engine, ByteBufAllocator alloc, - JdkApplicationProtocolNegotiator applicationNegotiator) { - super(engine, alloc, applicationNegotiator.protocols()); - // Register for completion of the handshake. - Conscrypt.setHandshakeListener(engine, new HandshakeListener() { - @Override - public void onHandshakeFinished() throws SSLException { - selectProtocol(); - } - }); - - protocolListener = checkNotNull(applicationNegotiator - .protocolListenerFactory().newListener(this, applicationNegotiator.protocols()), - "protocolListener"); - } - - private void selectProtocol() throws SSLException { - String protocol = Conscrypt.getApplicationProtocol(getWrappedEngine()); - try { - protocolListener.selected(protocol); - } catch (Throwable e) { - throw toSSLHandshakeException(e); - } - } - } - - private static final class ServerEngine extends ConscryptAlpnSslEngine { - private final ProtocolSelector protocolSelector; - - ServerEngine(SSLEngine engine, ByteBufAllocator alloc, - JdkApplicationProtocolNegotiator applicationNegotiator) { - super(engine, alloc, applicationNegotiator.protocols()); - - // Register for completion of the handshake. - Conscrypt.setHandshakeListener(engine, new HandshakeListener() { - @Override - public void onHandshakeFinished() throws SSLException { - selectProtocol(); - } - }); - - protocolSelector = checkNotNull(applicationNegotiator.protocolSelectorFactory() - .newSelector(this, - new LinkedHashSet(applicationNegotiator.protocols())), - "protocolSelector"); - } - - private void selectProtocol() throws SSLException { - try { - String protocol = Conscrypt.getApplicationProtocol(getWrappedEngine()); - protocolSelector.select(protocol != null ? Collections.singletonList(protocol) - : Collections.emptyList()); - } catch (Throwable e) { - throw toSSLHandshakeException(e); - } - } - } - - private static final class BufferAllocatorAdapter extends BufferAllocator { - private final ByteBufAllocator alloc; - - BufferAllocatorAdapter(ByteBufAllocator alloc) { - this.alloc = alloc; - } - - @Override - public AllocatedBuffer allocateDirectBuffer(int capacity) { - return new BufferAdapter(alloc.directBuffer(capacity)); - } - } - - private static final class BufferAdapter extends AllocatedBuffer { - private final ByteBuf nettyBuffer; - private final ByteBuffer buffer; - - BufferAdapter(ByteBuf nettyBuffer) { - this.nettyBuffer = nettyBuffer; - buffer = nettyBuffer.nioBuffer(0, nettyBuffer.capacity()); - } - - @Override - public ByteBuffer nioBuffer() { - return buffer; - } - - @Override - public AllocatedBuffer retain() { - nettyBuffer.retain(); - return this; - } - - @Override - public AllocatedBuffer release() { - nettyBuffer.release(); - return this; - } - } -} diff --git a/handler/src/main/java/io/netty/handler/ssl/JdkAlpnApplicationProtocolNegotiator.java b/handler/src/main/java/io/netty/handler/ssl/JdkAlpnApplicationProtocolNegotiator.java index c4ca7b9b8c..2ed83a313b 100644 --- a/handler/src/main/java/io/netty/handler/ssl/JdkAlpnApplicationProtocolNegotiator.java +++ b/handler/src/main/java/io/netty/handler/ssl/JdkAlpnApplicationProtocolNegotiator.java @@ -26,8 +26,7 @@ import javax.net.ssl.SSLEngine; */ @Deprecated public final class JdkAlpnApplicationProtocolNegotiator extends JdkBaseApplicationProtocolNegotiator { - private static final boolean AVAILABLE = Conscrypt.isAvailable() || - JdkAlpnSslUtils.supportsAlpn() || + private static final boolean AVAILABLE = JdkAlpnSslUtils.supportsAlpn() || JettyAlpnSslEngine.isAvailable(); private static final SslEngineWrapperFactory ALPN_WRAPPER = AVAILABLE ? new AlpnWrapper() : new FailureWrapper(); @@ -119,7 +118,6 @@ public final class JdkAlpnApplicationProtocolNegotiator extends JdkBaseApplicati public SSLEngine wrapSslEngine(SSLEngine engine, ByteBufAllocator alloc, JdkApplicationProtocolNegotiator applicationNegotiator, boolean isServer) { throw new RuntimeException("ALPN unsupported. Is your classpath configured correctly?" - + " For Conscrypt, add the appropriate Conscrypt JAR to classpath and set the security provider." + " For Jetty-ALPN, see " + "http://www.eclipse.org/jetty/documentation/current/alpn-chapter.html#alpn-starting"); } @@ -129,10 +127,6 @@ public final class JdkAlpnApplicationProtocolNegotiator extends JdkBaseApplicati @Override public SSLEngine wrapSslEngine(SSLEngine engine, ByteBufAllocator alloc, JdkApplicationProtocolNegotiator applicationNegotiator, boolean isServer) { - if (Conscrypt.isEngineSupported(engine)) { - return isServer ? ConscryptAlpnSslEngine.newServerEngine(engine, alloc, applicationNegotiator) - : ConscryptAlpnSslEngine.newClientEngine(engine, alloc, applicationNegotiator); - } // ALPN support was recently backported to Java8 as // https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8230977. // Because of this lets not do a Java version runtime check but just depend on if the required methods are diff --git a/handler/src/main/java/io/netty/handler/ssl/SslHandler.java b/handler/src/main/java/io/netty/handler/ssl/SslHandler.java index de101967ba..8e11bbf4cc 100644 --- a/handler/src/main/java/io/netty/handler/ssl/SslHandler.java +++ b/handler/src/main/java/io/netty/handler/ssl/SslHandler.java @@ -228,50 +228,6 @@ public class SslHandler extends ByteToMessageDecoder implements ChannelOutboundH return ((ReferenceCountedOpenSslEngine) engine).jdkCompatibilityMode; } }, - CONSCRYPT(true, COMPOSITE_CUMULATOR) { - @Override - SSLEngineResult unwrap(SslHandler handler, ByteBuf in, int readerIndex, int len, ByteBuf out) - throws SSLException { - int nioBufferCount = in.nioBufferCount(); - int writerIndex = out.writerIndex(); - final SSLEngineResult result; - if (nioBufferCount > 1) { - /* - * Use a special unwrap method without additional memory copies. - */ - try { - handler.singleBuffer[0] = toByteBuffer(out, writerIndex, out.writableBytes()); - result = ((ConscryptAlpnSslEngine) handler.engine).unwrap( - in.nioBuffers(readerIndex, len), - handler.singleBuffer); - } finally { - handler.singleBuffer[0] = null; - } - } else { - result = handler.engine.unwrap(toByteBuffer(in, readerIndex, len), - toByteBuffer(out, writerIndex, out.writableBytes())); - } - out.writerIndex(writerIndex + result.bytesProduced()); - return result; - } - - @Override - ByteBuf allocateWrapBuffer(SslHandler handler, ByteBufAllocator allocator, - int pendingBytes, int numComponents) { - return allocator.directBuffer( - ((ConscryptAlpnSslEngine) handler.engine).calculateOutNetBufSize(pendingBytes, numComponents)); - } - - @Override - int calculatePendingData(SslHandler handler, int guess) { - return guess; - } - - @Override - boolean jdkCompatibilityMode(SSLEngine engine) { - return true; - } - }, JDK(false, MERGE_CUMULATOR) { @Override SSLEngineResult unwrap(SslHandler handler, ByteBuf in, int readerIndex, int len, ByteBuf out) @@ -324,8 +280,7 @@ public class SslHandler extends ByteToMessageDecoder implements ChannelOutboundH }; static SslEngineType forEngine(SSLEngine engine) { - return engine instanceof ReferenceCountedOpenSslEngine ? TCNATIVE : - engine instanceof ConscryptAlpnSslEngine ? CONSCRYPT : JDK; + return engine instanceof ReferenceCountedOpenSslEngine ? TCNATIVE : JDK; } SslEngineType(boolean wantsDirectBuffer, Cumulator cumulator) { diff --git a/pom.xml b/pom.xml index d548aa5513..db3d7b0d38 100644 --- a/pom.xml +++ b/pom.xml @@ -489,16 +489,6 @@ true - - - ${conscrypt.groupId} - ${conscrypt.artifactId} - ${conscrypt.classifier} - ${conscrypt.version} - compile - true - -