Author: markt
Date: Tue Jan 2 21:32:41 2018
New Revision: 1819903
URL: http://svn.apache.org/viewvc?rev=1819903&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61948
Improve the handling of malformed ClientHello messages in the code that
extracts the SNI information from a TLS handshake for the JSSE based NIO and
NIO2 connectors.
Added:
tomcat/trunk/test/org/apache/tomcat/util/net/TestTLSClientHelloExtractor.java
(with props)
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
tomcat/trunk/java/org/apache/tomcat/util/net/TLSClientHelloExtractor.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties?rev=1819903&r1=1819902&r2=1819903&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties Tue
Jan 2 21:32:41 2018
@@ -126,6 +126,7 @@ jsse.invalid_truststore_password=The pro
jsse.keystore_load_failed=Failed to load keystore type [{0}] with path [{1}]
due to [{2}]
jsse.ssl3=SSLv3 has been explicitly enabled. This protocol is known to be
insecure.
+sniExtractor.clientHelloInvalid=The ClientHello message was not correctly
formatted
sniExtractor.clientHelloTooBig=The ClientHello was not presented in a single
TLS record so no SNI information could be extracted
socket.closed=The socket associated with this connection has been closed.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/TLSClientHelloExtractor.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/TLSClientHelloExtractor.java?rev=1819903&r1=1819902&r2=1819903&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/TLSClientHelloExtractor.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/TLSClientHelloExtractor.java
Tue Jan 2 21:32:41 2018
@@ -16,6 +16,8 @@
*/
package org.apache.tomcat.util.net;
+import java.io.IOException;
+import java.nio.BufferUnderflowException;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
@@ -52,8 +54,9 @@ public class TLSClientHelloExtractor {
* exits.
*
* @param netInBuffer The buffer containing the TLS data to process
+ * @throws IOException If the client hello message is malformed
*/
- public TLSClientHelloExtractor(ByteBuffer netInBuffer) {
+ public TLSClientHelloExtractor(ByteBuffer netInBuffer) throws IOException {
// TODO: Detect use of http on a secure connection and provide a simple
// error page.
@@ -143,6 +146,8 @@ public class TLSClientHelloExtractor {
}
}
result = ExtractorResult.COMPLETE;
+ } catch (BufferUnderflowException | IllegalArgumentException e) {
+ throw new
IOException(sm.getString("sniExtractor.clientHelloInvalid"), e);
} finally {
this.result = result;
this.clientRequestedCiphers = clientRequestedCiphers;
Added:
tomcat/trunk/test/org/apache/tomcat/util/net/TestTLSClientHelloExtractor.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/TestTLSClientHelloExtractor.java?rev=1819903&view=auto
==============================================================================
---
tomcat/trunk/test/org/apache/tomcat/util/net/TestTLSClientHelloExtractor.java
(added)
+++
tomcat/trunk/test/org/apache/tomcat/util/net/TestTLSClientHelloExtractor.java
Tue Jan 2 21:32:41 2018
@@ -0,0 +1,89 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.net;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import org.apache.tomcat.util.net.TLSClientHelloExtractor.ExtractorResult;
+
+public class TestTLSClientHelloExtractor {
+
+ @Test
+ public void testInputNeedRead01() throws IOException {
+ ByteBuffer testInput = ByteBuffer.allocate(1024);
+ doTestInputNeedRead(testInput);
+ }
+
+
+ @Test(expected=IOException.class)
+ public void testInputMalformed01() throws IOException {
+ ByteBuffer testInput = ByteBuffer.allocate(1024);
+
+ // TLS handshake
+ testInput.put((byte) 22);
+ // TLS 1.0
+ testInput.put((byte) 3);
+ testInput.put((byte) 1);
+ // Record length 0 (correct, but not legal)
+ testInput.put((byte) 0);
+ testInput.put((byte) 0);
+
+ doTestInputNeedRead(testInput);
+ }
+
+
+ @Test(expected=IOException.class)
+ public void testInputMalformed02() throws IOException {
+ ByteBuffer testInput = ByteBuffer.allocate(1024);
+
+ // TLS handshake
+ testInput.put((byte) 22);
+ // TLS 1.0
+ testInput.put((byte) 3);
+ testInput.put((byte) 1);
+ // Record length 4
+ testInput.put((byte) 0);
+ testInput.put((byte) 4);
+ // Type 1 (client hello)
+ testInput.put((byte) 1);
+ // Client hello size 0 (correct, but not legal)
+ testInput.put((byte) 0);
+ testInput.put((byte) 0);
+ testInput.put((byte) 0);
+
+ doTestInputNeedRead(testInput);
+ }
+
+
+ public void doTestInputMalformed(ByteBuffer input) throws IOException {
+ TLSClientHelloExtractor extractor = new TLSClientHelloExtractor(input);
+ // Expect this to fail
+ extractor.getResult();
+ }
+
+
+ public void doTestInputNeedRead(ByteBuffer input) throws IOException {
+ TLSClientHelloExtractor extractor = new TLSClientHelloExtractor(input);
+ // Expect this to fail
+ ExtractorResult result = extractor.getResult();
+ Assert.assertEquals(ExtractorResult.NEED_READ, result);
+ }
+}
Propchange:
tomcat/trunk/test/org/apache/tomcat/util/net/TestTLSClientHelloExtractor.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1819903&r1=1819902&r2=1819903&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Jan 2 21:32:41 2018
@@ -83,6 +83,11 @@
Add support for the OpenSSL ARIA ciphers to the OpenSSL to JSSE
cipher mapping. (markt)
</add>
+ <fix>
+ <bug>61948</bug>: Improve the handling of malformed ClientHello
messages
+ in the code that extracts the SNI information from a TLS handshake for
+ the JSSE based NIO and NIO2 connectors. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
