Native Sockets TLS Client/Server support for linux

ktor-client/ktor-client-cio/jvmAndNix/src/io/ktor/client/engine/cio/Endpoint.kt

@@ -204,6 +204,7 @@ internal class Endpoint(
                     if (proxy?.type == ProxyType.HTTP) {
                         startTunnel(requestData, connection.output, connection.input)
                     }
+                    //TODO: cache TLS config to support session reuse, when using SSLEngine
                     val tlsSocket = connection.tls(coroutineContext) {
                         takeFrom(config.https)
                         serverName = serverName ?: address.hostname

ktor-network/ktor-network-tls/api/ktor-network-tls.api

@@ -180,24 +180,48 @@ public final class io/ktor/network/tls/TLSAlertType$Companion {
 	public final fun byCode (I)Lio/ktor/network/tls/TLSAlertType;
 }
 
+public final class io/ktor/network/tls/TLSAuthenticationConfig {
+	public fun <init> (Ljavax/net/ssl/KeyManagerFactory;)V
+	public final fun getKeyManagerFactory ()Ljavax/net/ssl/KeyManagerFactory;
+}
+
+public final class io/ktor/network/tls/TLSAuthenticationConfigBuilder {
+	public fun <init> (Lkotlin/jvm/functions/Function0;)V
+	public final fun build ()Lio/ktor/network/tls/TLSAuthenticationConfig;
+	public final fun keyStore (Ljava/security/KeyStore;)V
+	public final fun pkcs12Certificate (Ljava/io/File;Lkotlin/jvm/functions/Function0;)V
+	public final fun pkcs12Certificate (Ljava/lang/String;Lkotlin/jvm/functions/Function0;)V
+	public static synthetic fun pkcs12Certificate$default (Lio/ktor/network/tls/TLSAuthenticationConfigBuilder;Ljava/io/File;Lkotlin/jvm/functions/Function0;ILjava/lang/Object;)V
+	public static synthetic fun pkcs12Certificate$default (Lio/ktor/network/tls/TLSAuthenticationConfigBuilder;Ljava/lang/String;Lkotlin/jvm/functions/Function0;ILjava/lang/Object;)V
+}
+
 public final class io/ktor/network/tls/TLSCommonKt {
-	public static final fun tls (Lio/ktor/network/sockets/Connection;Lkotlin/coroutines/CoroutineContext;Lio/ktor/network/tls/TLSConfig;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
-	public static final fun tls (Lio/ktor/network/sockets/Connection;Lkotlin/coroutines/CoroutineContext;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
-	public static final fun tls (Lio/ktor/network/sockets/Connection;Lkotlin/coroutines/CoroutineContext;Lkotlin/jvm/functions/Function1;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
-	public static final fun tls (Lio/ktor/network/sockets/Socket;Lkotlin/coroutines/CoroutineContext;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
+	public static final fun tls (Lio/ktor/network/sockets/Connection;Lkotlin/coroutines/CoroutineContext;ZLkotlin/jvm/functions/Function1;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
+	public static final fun tls (Lio/ktor/network/sockets/Socket;Lkotlin/coroutines/CoroutineContext;Lio/ktor/network/tls/TLSConfig;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
+	public static final fun tls (Lio/ktor/network/sockets/Socket;Lkotlin/coroutines/CoroutineContext;ZLkotlin/jvm/functions/Function1;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
+	public static synthetic fun tls$default (Lio/ktor/network/sockets/Connection;Lkotlin/coroutines/CoroutineContext;ZLkotlin/jvm/functions/Function1;Lkotlin/coroutines/Continuation;ILjava/lang/Object;)Ljava/lang/Object;
+	public static synthetic fun tls$default (Lio/ktor/network/sockets/Socket;Lkotlin/coroutines/CoroutineContext;ZLkotlin/jvm/functions/Function1;Lkotlin/coroutines/Continuation;ILjava/lang/Object;)Ljava/lang/Object;
 }
 
-public final class io/ktor/network/tls/TLSConfig {
-	public fun <init> (Ljava/security/SecureRandom;Ljava/util/List;Ljavax/net/ssl/X509TrustManager;Ljava/util/List;Ljava/lang/String;)V
+public final class io/ktor/network/tls/TLSConfig : java/io/Closeable {
+	public fun <init> (Ljava/security/SecureRandom;Ljava/util/List;Ljavax/net/ssl/X509TrustManager;Ljava/util/List;ZLjava/lang/String;Lio/ktor/network/tls/TLSAuthenticationConfig;Lio/ktor/network/tls/TLSVerificationConfig;)V
+	public fun close ()V
+	public final fun getAuthentication ()Lio/ktor/network/tls/TLSAuthenticationConfig;
 	public final fun getCertificates ()Ljava/util/List;
 	public final fun getCipherSuites ()Ljava/util/List;
 	public final fun getRandom ()Ljava/security/SecureRandom;
 	public final fun getServerName ()Ljava/lang/String;
+	public final fun getSslContext ()Ljavax/net/ssl/SSLContext;
 	public final fun getTrustManager ()Ljavax/net/ssl/X509TrustManager;
+	public final fun getVerification ()Lio/ktor/network/tls/TLSVerificationConfig;
+	public final fun isClient ()Z
 }
 
 public final class io/ktor/network/tls/TLSConfigBuilder {
 	public fun <init> ()V
+	public fun <init> (Z)V
+	public synthetic fun <init> (ZILkotlin/jvm/internal/DefaultConstructorMarker;)V
+	public final fun authentication (Lkotlin/jvm/functions/Function0;Lkotlin/jvm/functions/Function1;)V
 	public final fun build ()Lio/ktor/network/tls/TLSConfig;
 	public final fun getCertificates ()Ljava/util/List;
 	public final fun getCipherSuites ()Ljava/util/List;
@@ -208,13 +232,19 @@ public final class io/ktor/network/tls/TLSConfigBuilder {
 	public final fun setRandom (Ljava/security/SecureRandom;)V
 	public final fun setServerName (Ljava/lang/String;)V
 	public final fun setTrustManager (Ljavax/net/ssl/TrustManager;)V
+	public final fun takeFrom (Lio/ktor/network/tls/TLSConfigBuilder;)V
+	public final fun verification (Lkotlin/jvm/functions/Function1;)V
 }
 
 public final class io/ktor/network/tls/TLSConfigBuilderKt {
 	public static final fun addCertificateChain (Lio/ktor/network/tls/TLSConfigBuilder;[Ljava/security/cert/X509Certificate;Ljava/security/PrivateKey;)V
 	public static final fun addKeyStoreNullablePassword (Lio/ktor/network/tls/TLSConfigBuilder;Ljava/security/KeyStore;[CLjava/lang/String;)V
 	public static synthetic fun addKeyStoreNullablePassword$default (Lio/ktor/network/tls/TLSConfigBuilder;Ljava/security/KeyStore;[CLjava/lang/String;ILjava/lang/Object;)V
-	public static final fun takeFrom (Lio/ktor/network/tls/TLSConfigBuilder;Lio/ktor/network/tls/TLSConfigBuilder;)V
+}
+
+public final class io/ktor/network/tls/TLSConfigKt {
+	public static final fun TLSConfig (ZLkotlin/jvm/functions/Function1;)Lio/ktor/network/tls/TLSConfig;
+	public static synthetic fun TLSConfig$default (ZLkotlin/jvm/functions/Function1;ILjava/lang/Object;)Lio/ktor/network/tls/TLSConfig;
 }
 
 public final class io/ktor/network/tls/TLSHandshakeType : java/lang/Enum {
@@ -239,10 +269,8 @@ public final class io/ktor/network/tls/TLSHandshakeType$Companion {
 }
 
 public final class io/ktor/network/tls/TLSKt {
-	public static final fun tls (Lio/ktor/network/sockets/Socket;Lkotlin/coroutines/CoroutineContext;Lio/ktor/network/tls/TLSConfig;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
-	public static final fun tls (Lio/ktor/network/sockets/Socket;Lkotlin/coroutines/CoroutineContext;Ljavax/net/ssl/SSLEngine;)Lio/ktor/network/sockets/Socket;
+	public static final fun tls (Lio/ktor/network/sockets/Connection;Lkotlin/coroutines/CoroutineContext;Lio/ktor/network/tls/TLSConfig;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
 	public static final fun tls (Lio/ktor/network/sockets/Socket;Lkotlin/coroutines/CoroutineContext;Ljavax/net/ssl/X509TrustManager;Ljava/lang/String;Ljava/util/List;Ljava/lang/String;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
-	public static final fun tls (Lio/ktor/network/sockets/Socket;Lkotlin/coroutines/CoroutineContext;Lkotlin/jvm/functions/Function1;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
 	public static synthetic fun tls$default (Lio/ktor/network/sockets/Socket;Lkotlin/coroutines/CoroutineContext;Ljavax/net/ssl/X509TrustManager;Ljava/lang/String;Ljava/util/List;Ljava/lang/String;Lkotlin/coroutines/Continuation;ILjava/lang/Object;)Ljava/lang/Object;
 }
 
@@ -261,6 +289,21 @@ public final class io/ktor/network/tls/TLSRecordType$Companion {
 	public final fun byCode (I)Lio/ktor/network/tls/TLSRecordType;
 }
 
+public final class io/ktor/network/tls/TLSVerificationConfig {
+	public fun <init> (Ljavax/net/ssl/TrustManagerFactory;)V
+	public final fun getTrustManagerFactory ()Ljavax/net/ssl/TrustManagerFactory;
+}
+
+public final class io/ktor/network/tls/TLSVerificationConfigBuilder {
+	public fun <init> ()V
+	public final fun build ()Lio/ktor/network/tls/TLSVerificationConfig;
+	public final fun pkcs12Certificate (Ljava/io/File;Lkotlin/jvm/functions/Function0;)V
+	public final fun pkcs12Certificate (Ljava/lang/String;Lkotlin/jvm/functions/Function0;)V
+	public static synthetic fun pkcs12Certificate$default (Lio/ktor/network/tls/TLSVerificationConfigBuilder;Ljava/io/File;Lkotlin/jvm/functions/Function0;ILjava/lang/Object;)V
+	public static synthetic fun pkcs12Certificate$default (Lio/ktor/network/tls/TLSVerificationConfigBuilder;Ljava/lang/String;Lkotlin/jvm/functions/Function0;ILjava/lang/Object;)V
+	public final fun trustStore (Ljava/security/KeyStore;)V
+}
+
 public final class io/ktor/network/tls/TLSVersion : java/lang/Enum {
 	public static final field Companion Lio/ktor/network/tls/TLSVersion$Companion;
 	public static final field SSL3 Lio/ktor/network/tls/TLSVersion;

ktor-network/ktor-network-tls/build.gradle.kts

@@ -1,14 +1,23 @@
-kotlin.sourceSets {
-    jvmAndNixMain {
-        dependencies {
-            api(project(":ktor-network"))
-            api(project(":ktor-utils"))
+kotlin {
+    linuxX64 {
+        val main by compilations.getting {
+            val openssl by cinterops.creating {
+                defFile(project.file("linuxX64/interop/openssl.def"))
+            }
         }
     }
-    jvmTest {
-        dependencies {
-            api(project(":ktor-network:ktor-network-tls:ktor-network-tls-certificates"))
-            api(libs.netty.handler)
+    sourceSets {
+        jvmAndNixMain {
+            dependencies {
+                api(project(":ktor-network"))
+                api(project(":ktor-utils"))
+            }
+        }
+        jvmTest {
+            dependencies {
+                api(project(":ktor-network:ktor-network-tls:ktor-network-tls-certificates"))
+                api(libs.netty.handler)
+            }
         }
     }
 }

ktor-network/ktor-network-tls/darwin/src/io/ktor/network/tls/PKCS12Certificate.kt

@@ -0,0 +1,10 @@
+/*
+ * Copyright 2014-2022 JetBrains s.r.o and contributors. Use of this source code is governed by the Apache 2.0 license.
+ */
+
+package io.ktor.network.tls
+
+public class PKCS12Certificate(
+    public val path: String,
+    public val password: (() -> CharArray)?
+)

ktor-network/ktor-network-tls/darwin/src/io/ktor/network/tls/TLSConfigBuilderDarwin.kt

@@ -0,0 +1,74 @@
+/*
+ * Copyright 2014-2019 JetBrains s.r.o and contributors. Use of this source code is governed by the Apache 2.0 license.
+ */
+
+package io.ktor.network.tls
+
+/**
+ * [TLSConfig] builder.
+ */
+public actual class TLSConfigBuilder actual constructor(private val isClient: Boolean) {
+    private var authenticationBuilder: TLSAuthenticationConfigBuilder? = null
+    private var verificationBuilder: TLSVerificationConfigBuilder? = null
+
+    /**
+     * Custom server name for TLS server name extension.
+     * See also: https://en.wikipedia.org/wiki/Server_Name_Indication
+     */
+    public actual var serverName: String? = null
+
+    public actual fun authentication(
+        privateKeyPassword: () -> CharArray,
+        block: TLSAuthenticationConfigBuilder.() -> Unit
+    ) {
+        authenticationBuilder = TLSAuthenticationConfigBuilder(privateKeyPassword).apply(block)
+    }
+
+    public actual fun verification(
+        block: TLSVerificationConfigBuilder.() -> Unit
+    ) {
+        verificationBuilder = TLSVerificationConfigBuilder().apply(block)
+    }
+
+    public actual fun takeFrom(other: TLSConfigBuilder) {
+        serverName = other.serverName
+        authenticationBuilder = other.authenticationBuilder
+    }
+
+    /**
+     * Create [TLSConfig].
+     */
+    public actual fun build(): TLSConfig = TLSConfig(
+        isClient = isClient,
+        serverName = serverName,
+        authentication = authenticationBuilder?.build(),
+        verification = verificationBuilder?.build()
+    )
+}
+
+public actual class TLSAuthenticationConfigBuilder actual constructor(
+    private val privateKeyPassword: () -> CharArray
+) {
+    private var certificate: PKCS12Certificate? = null
+
+    public actual fun pkcs12Certificate(certificatePath: String, certificatePassword: (() -> CharArray)?) {
+        certificate = PKCS12Certificate(certificatePath, certificatePassword)
+    }
+
+    public actual fun build(): TLSAuthenticationConfig = TLSAuthenticationConfig(
+        certificate,
+        privateKeyPassword
+    )
+}
+
+public actual class TLSVerificationConfigBuilder {
+    private var certificate: PKCS12Certificate? = null
+
+    public actual fun pkcs12Certificate(certificatePath: String, certificatePassword: (() -> CharArray)?) {
+        certificate = PKCS12Certificate(certificatePath, certificatePassword)
+    }
+
+    public actual fun build(): TLSVerificationConfig = TLSVerificationConfig(
+        certificate
+    )
+}

ktor-network/ktor-network-tls/darwin/src/io/ktor/network/tls/TLSConfigDarwin.kt

@@ -0,0 +1,28 @@
+// ktlint-disable filename
+/*
+ * Copyright 2014-2019 JetBrains s.r.o and contributors. Use of this source code is governed by the Apache 2.0 license.
+ */
+
+package io.ktor.network.tls
+
+import io.ktor.utils.io.core.*
+
+public actual class TLSConfig(
+    public actual val isClient: Boolean,
+    public actual val serverName: String?,
+    public actual val authentication: TLSAuthenticationConfig?,
+    public actual val verification: TLSVerificationConfig?,
+) : Closeable {
+    override fun close() {
+        //NOOP
+    }
+}
+
+public actual class TLSAuthenticationConfig(
+    public val certificate: PKCS12Certificate?,
+    public val privateKeyPassword: () -> CharArray
+)
+
+public actual class TLSVerificationConfig(
+    public val certificate: PKCS12Certificate?,
+)

ktor-network/ktor-network-tls/darwin/src/io/ktor/network/tls/TLSDarwin.kt

@@ -0,0 +1,15 @@
+/*
+ * Copyright 2014-2022 JetBrains s.r.o and contributors. Use of this source code is governed by the Apache 2.0 license.
+ */
+
+package io.ktor.network.tls
+
+import io.ktor.network.sockets.*
+import kotlin.coroutines.*
+
+public actual suspend fun Connection.tls(
+    coroutineContext: CoroutineContext,
+    config: TLSConfig
+): Socket {
+    error("TLS is not supported on Darwin platform.")
+}

ktor-network/ktor-network-tls/jvm/src/io/ktor/network/tls/TLS.kt

@@ -13,21 +13,44 @@ import kotlin.coroutines.*
 /**
  * Make [Socket] connection secure with TLS using [TLSConfig].
  */
-public actual suspend fun Socket.tls(
+public actual suspend fun Connection.tls(
     coroutineContext: CoroutineContext,
     config: TLSConfig
 ): Socket {
-    val reader = openReadChannel()
-    val writer = openWriteChannel()
-
-    return try {
-        openTLSSession(this, reader, writer, config, coroutineContext)
-    } catch (cause: Throwable) {
-        reader.cancel(cause)
-        writer.close(cause)
-        close()
-        throw cause
+
+    //using old implementation for now if new configuration is not used
+    if (config.isClient && config.authentication == null && config.verification == null) {
+        return try {
+            openTLSSession(socket, input, output, config, coroutineContext)
+        } catch (cause: Throwable) {
+            input.cancel(cause)
+            output.close(cause)
+            socket.close()
+            throw cause
+        }
+    }
+
+    //TODO: servername is not validated
+    //TODO: client auth doesn't check if certificate is specific to server or client
+
+    val engine = when (val address = socket.remoteAddress) {
+        is UnixSocketAddress -> config.sslContext.createSSLEngine()
+        is InetSocketAddress -> {
+            config.sslContext.createSSLEngine(
+                config.serverName ?: address.hostname,
+                address.port
+            )
+        }
+    }
+
+    //TODO: we can also set cipherSuites here
+    engine.useClientMode = config.isClient
+
+    if (!config.isClient) {
+        engine.needClientAuth = config.verification != null
     }
+
+    return SSLEngineSocket(coroutineContext, engine, this)
 }
 
 /**
@@ -45,14 +68,3 @@ public suspend fun Socket.tls(
     this.cipherSuites = cipherSuites
     this.serverName = serverName
 }
-
-/**
- * Make [Socket] connection secure with TLS configured with [block].
- */
-public actual suspend fun Socket.tls(coroutineContext: CoroutineContext, block: TLSConfigBuilder.() -> Unit): Socket =
-    tls(coroutineContext, TLSConfigBuilder().apply(block).build())
-
-@InternalAPI
-public fun Socket.tls(coroutineContext: CoroutineContext, engine: SSLEngine): Socket {
-    return SSLEngineSocket(coroutineContext, engine, connection())
-}

ktor-network/ktor-network-tls/jvm/src/io/ktor/network/tls/TLSClientSessionJvm.kt

@@ -14,7 +14,7 @@ import kotlinx.coroutines.channels.*
 import java.nio.*
 import kotlin.coroutines.*
 
-internal actual suspend fun openTLSSession(
+internal suspend fun openTLSSession(
     socket: Socket,
     input: ByteReadChannel,
     output: ByteWriteChannel,