andreacavalli/netty5
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[#5874] [#5971] Ensure SniHandlerTest.testServerNameParsing not fails with SslProvider.JDK

Browse Source 
Motivation:

The SniHandlerTest.testServerNameParsing did fail when SslProvider.JDK was used as it the JDK SSLEngineImpl does not send an alert.

Modifications:

Ensure tests pass with JDK and OPENSSL ssl implementations.

Result:

SniHandlerTest will run with all SslProvider and not fail when SslProvider.JDK is used.
This commit is contained in:
Norman Maurer 2016-11-16 07:59:21 +01:00
parent 2c78902ebc
commit 86bbf242b4
1 changed files with 312 additions and 233 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

545
handler/src/test/java/io/netty/handler/ssl/SniHandlerTest.java
View File

@ -26,6 +26,8 @@ import static org.junit.Assume.assumeTrue;
import java.io.File; import java.io.File;
import java.net.InetSocketAddress; import java.net.InetSocketAddress;
import java.util.ArrayList;
import java.util.List;
import java.util.concurrent.CountDownLatch; import java.util.concurrent.CountDownLatch;
import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeUnit;
@ -62,7 +64,10 @@ import io.netty.util.ReferenceCountUtil;
import io.netty.util.ReferenceCounted; import io.netty.util.ReferenceCounted;
import io.netty.util.concurrent.Promise; import io.netty.util.concurrent.Promise;
import io.netty.util.internal.ObjectUtil; import io.netty.util.internal.ObjectUtil;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
@RunWith(Parameterized.class)
public class SniHandlerTest { public class SniHandlerTest {
private static ApplicationProtocolConfig newApnConfig() { private static ApplicationProtocolConfig newApnConfig() {
@ -75,292 +80,360 @@ public class SniHandlerTest {
"myprotocol"); "myprotocol");
} }
private static SslContext makeSslContext() throws Exception { private static void assumeApnSupported(SslProvider provider) {
return makeSslContext(null); switch (provider) {
case OPENSSL:
case OPENSSL_REFCNT:
assumeTrue(OpenSsl.isAlpnSupported());
break;
case JDK:
assumeTrue(JdkAlpnSslEngine.isAvailable());
break;
default:
throw new Error();
}
} }
private static SslContext makeSslContext(SslProvider provider) throws Exception { private static SslContext makeSslContext(SslProvider provider, boolean apn) throws Exception {
if (apn) {
assumeApnSupported(provider);
}
File keyFile = new File(SniHandlerTest.class.getResource("test_encrypted.pem").getFile()); File keyFile = new File(SniHandlerTest.class.getResource("test_encrypted.pem").getFile());
File crtFile = new File(SniHandlerTest.class.getResource("test.crt").getFile()); File crtFile = new File(SniHandlerTest.class.getResource("test.crt").getFile());
return SslContextBuilder.forServer(crtFile, keyFile, "12345") SslContextBuilder sslCtxBuilder = SslContextBuilder.forServer(crtFile, keyFile, "12345")
.sslProvider(provider) .sslProvider(provider);
.applicationProtocolConfig(newApnConfig()).build(); if (apn) {
sslCtxBuilder.applicationProtocolConfig(newApnConfig());
}
return sslCtxBuilder.build();
} }
private static SslContext makeSslClientContext() throws Exception { private static SslContext makeSslClientContext(SslProvider provider, boolean apn) throws Exception {
if (apn) {
assumeApnSupported(provider);
}
File crtFile = new File(SniHandlerTest.class.getResource("test.crt").getFile()); File crtFile = new File(SniHandlerTest.class.getResource("test.crt").getFile());
return SslContextBuilder.forClient().trustManager(crtFile).applicationProtocolConfig(newApnConfig()).build(); SslContextBuilder sslCtxBuilder = SslContextBuilder.forClient().trustManager(crtFile).sslProvider(provider);
if (apn) {
sslCtxBuilder.applicationProtocolConfig(newApnConfig());
}
return sslCtxBuilder.build();
}
@Parameterized.Parameters(name = "{index}: sslProvider={0}")
public static Iterable<? extends Object> data() {
List<SslProvider> params = new ArrayList<SslProvider>(3);
if (OpenSsl.isAvailable()) {
params.add(SslProvider.OPENSSL);
params.add(SslProvider.OPENSSL_REFCNT);
}
params.add(SslProvider.JDK);
return params;
}
private final SslProvider provider;
public SniHandlerTest(SslProvider provider) {
this.provider = provider;
} }
@Test @Test
public void testServerNameParsing() throws Exception { public void testServerNameParsing() throws Exception {
SslContext nettyContext = makeSslContext(); SslContext nettyContext = makeSslContext(provider, false);
SslContext leanContext = makeSslContext(); SslContext leanContext = makeSslContext(provider, false);
SslContext leanContext2 = makeSslContext(); SslContext leanContext2 = makeSslContext(provider, false);
DomainNameMapping<SslContext> mapping = new DomainNameMappingBuilder<SslContext>(nettyContext)
.add("*.netty.io", nettyContext)
// input with custom cases
.add("*.LEANCLOUD.CN", leanContext)
// a hostname conflict with previous one, since we are using order-sensitive config, the engine won't
// be used with the handler.
.add("chat4.leancloud.cn", leanContext2)
.build();
SniHandler handler = new SniHandler(mapping);
EmbeddedChannel ch = new EmbeddedChannel(handler);
// hex dump of a client hello packet, which contains hostname "CHAT4。LEANCLOUD。CN"
String tlsHandshakeMessageHex1 = "16030100";
// part 2
String tlsHandshakeMessageHex = "bd010000b90303a74225676d1814ba57faff3b366" +
"3656ed05ee9dbb2a4dbb1bb1c32d2ea5fc39e0000000100008c0000001700150000164348" +
"415434E380824C45414E434C4F5544E38082434E000b000403000102000a00340032000e0" +
"00d0019000b000c00180009000a0016001700080006000700140015000400050012001300" +
"0100020003000f0010001100230000000d0020001e0601060206030501050205030401040" +
"20403030103020303020102020203000f00010133740000";
try { try {
// Push the handshake message. DomainNameMapping<SslContext> mapping = new DomainNameMappingBuilder<SslContext>(nettyContext)
// Decode should fail because SNI error .add("*.netty.io", nettyContext)
ch.writeInbound(Unpooled.wrappedBuffer(DatatypeConverter.parseHexBinary(tlsHandshakeMessageHex1))); // input with custom cases
ch.writeInbound(Unpooled.wrappedBuffer(DatatypeConverter.parseHexBinary(tlsHandshakeMessageHex))); .add("*.LEANCLOUD.CN", leanContext)
fail(); // a hostname conflict with previous one, since we are using order-sensitive config,
} catch (DecoderException e) { // the engine won't be used with the handler.
// expected .add("chat4.leancloud.cn", leanContext2)
} .build();
assertThat(ch.finish(), is(true)); SniHandler handler = new SniHandler(mapping);
assertThat(handler.hostname(), is("chat4.leancloud.cn")); EmbeddedChannel ch = new EmbeddedChannel(handler);
assertThat(handler.sslContext(), is(leanContext));
for (;;) { // hex dump of a client hello packet, which contains hostname "CHAT4。LEANCLOUD。CN"
Object msg = ch.readOutbound(); String tlsHandshakeMessageHex1 = "16030100";
if (msg == null) { // part 2
break; String tlsHandshakeMessageHex = "bd010000b90303a74225676d1814ba57faff3b366" +
"3656ed05ee9dbb2a4dbb1bb1c32d2ea5fc39e0000000100008c0000001700150000164348" +
"415434E380824C45414E434C4F5544E38082434E000b000403000102000a00340032000e0" +
"00d0019000b000c00180009000a0016001700080006000700140015000400050012001300" +
"0100020003000f0010001100230000000d0020001e0601060206030501050205030401040" +
"20403030103020303020102020203000f00010133740000";
try {
// Push the handshake message.
// Decode should fail because SNI error
ch.writeInbound(Unpooled.wrappedBuffer(DatatypeConverter.parseHexBinary(tlsHandshakeMessageHex1)));
ch.writeInbound(Unpooled.wrappedBuffer(DatatypeConverter.parseHexBinary(tlsHandshakeMessageHex)));
fail();
} catch (DecoderException e) {
// expected
} }
ReferenceCountUtil.release(msg);
// Just call finish and not assert the return value. This is because OpenSSL correct produces an alert
// while the JDK SSLEngineImpl does not atm.
// See https://github.com/netty/netty/issues/5874
ch.finish();
assertThat(handler.hostname(), is("chat4.leancloud.cn"));
assertThat(handler.sslContext(), is(leanContext));
for (;;) {
Object msg = ch.readOutbound();
if (msg == null) {
break;
}
ReferenceCountUtil.release(msg);
}
} finally {
releaseAll(leanContext, leanContext2, nettyContext);
} }
} }
@Test @Test
public void testFallbackToDefaultContext() throws Exception { public void testFallbackToDefaultContext() throws Exception {
SslContext nettyContext = makeSslContext(); SslContext nettyContext = makeSslContext(provider, false);
SslContext leanContext = makeSslContext(); SslContext leanContext = makeSslContext(provider, false);
SslContext leanContext2 = makeSslContext(); SslContext leanContext2 = makeSslContext(provider, false);
DomainNameMapping<SslContext> mapping = new DomainNameMappingBuilder<SslContext>(nettyContext)
.add("*.netty.io", nettyContext)
// input with custom cases
.add("*.LEANCLOUD.CN", leanContext)
// a hostname conflict with previous one, since we are using order-sensitive config, the engine won't
// be used with the handler.
.add("chat4.leancloud.cn", leanContext2)
.build();
SniHandler handler = new SniHandler(mapping);
EmbeddedChannel ch = new EmbeddedChannel(handler);
// invalid
byte[] message = { 22, 3, 1, 0, 0 };
try { try {
// Push the handshake message. DomainNameMapping<SslContext> mapping = new DomainNameMappingBuilder<SslContext>(nettyContext)
ch.writeInbound(Unpooled.wrappedBuffer(message)); .add("*.netty.io", nettyContext)
} catch (Exception e) { // input with custom cases
// expected .add("*.LEANCLOUD.CN", leanContext)
} // a hostname conflict with previous one, since we are using order-sensitive config,
// the engine won't be used with the handler.
.add("chat4.leancloud.cn", leanContext2)
.build();
assertThat(ch.finish(), is(false)); SniHandler handler = new SniHandler(mapping);
assertThat(handler.hostname(), nullValue()); EmbeddedChannel ch = new EmbeddedChannel(handler);
assertThat(handler.sslContext(), is(nettyContext));
// invalid
byte[] message = {22, 3, 1, 0, 0};
try {
// Push the handshake message.
ch.writeInbound(Unpooled.wrappedBuffer(message));
} catch (Exception e) {
// expected
}
assertThat(ch.finish(), is(false));
assertThat(handler.hostname(), nullValue());
assertThat(handler.sslContext(), is(nettyContext));
} finally {
releaseAll(leanContext, leanContext2, nettyContext);
}
} }
@Test @Test
public void testSniWithApnHandler() throws Exception { public void testSniWithApnHandler() throws Exception {
SslContext nettyContext = makeSslContext(); SslContext nettyContext = makeSslContext(provider, true);
SslContext sniContext = makeSslContext(); SslContext sniContext = makeSslContext(provider, true);
final SslContext clientContext = makeSslClientContext(); final SslContext clientContext = makeSslClientContext(provider, true);
final CountDownLatch serverApnDoneLatch = new CountDownLatch(1);
final CountDownLatch clientApnDoneLatch = new CountDownLatch(1);
final DomainNameMapping<SslContext> mapping = new DomainNameMappingBuilder<SslContext>(nettyContext)
.add("*.netty.io", nettyContext)
.add("sni.fake.site", sniContext).build();
final SniHandler handler = new SniHandler(mapping);
EventLoopGroup group = new NioEventLoopGroup(2);
Channel serverChannel = null;
Channel clientChannel = null;
try { try {
ServerBootstrap sb = new ServerBootstrap(); final CountDownLatch serverApnDoneLatch = new CountDownLatch(1);
sb.group(group); final CountDownLatch clientApnDoneLatch = new CountDownLatch(1);
sb.channel(NioServerSocketChannel.class);
sb.childHandler(new ChannelInitializer<Channel>() { final DomainNameMapping<SslContext> mapping = new DomainNameMappingBuilder<SslContext>(nettyContext)
@Override .add("*.netty.io", nettyContext)
protected void initChannel(Channel ch) throws Exception { .add("sni.fake.site", sniContext).build();
ChannelPipeline p = ch.pipeline(); final SniHandler handler = new SniHandler(mapping);
// Server side SNI. EventLoopGroup group = new NioEventLoopGroup(2);
p.addLast(handler); Channel serverChannel = null;
// Catch the notification event that APN has completed successfully. Channel clientChannel = null;
p.addLast(new ApplicationProtocolNegotiationHandler("foo") { try {
@Override ServerBootstrap sb = new ServerBootstrap();
protected void configurePipeline(ChannelHandlerContext ctx, String protocol) throws Exception { sb.group(group);
serverApnDoneLatch.countDown(); sb.channel(NioServerSocketChannel.class);
} sb.childHandler(new ChannelInitializer<Channel>() {
}); @Override
protected void initChannel(Channel ch) throws Exception {
ChannelPipeline p = ch.pipeline();
// Server side SNI.
p.addLast(handler);
// Catch the notification event that APN has completed successfully.
p.addLast(new ApplicationProtocolNegotiationHandler("foo") {
@Override
protected void configurePipeline(ChannelHandlerContext ctx, String protocol) {
serverApnDoneLatch.countDown();
}
});
}
});
Bootstrap cb = new Bootstrap();
cb.group(group);
cb.channel(NioSocketChannel.class);
cb.handler(new ChannelInitializer<Channel>() {
@Override
protected void initChannel(Channel ch) throws Exception {
ch.pipeline().addLast(new SslHandler(clientContext.newEngine(
ch.alloc(), "sni.fake.site", -1)));
// Catch the notification event that APN has completed successfully.
ch.pipeline().addLast(new ApplicationProtocolNegotiationHandler("foo") {
@Override
protected void configurePipeline(ChannelHandlerContext ctx, String protocol) {
clientApnDoneLatch.countDown();
}
});
}
});
serverChannel = sb.bind(new InetSocketAddress(0)).sync().channel();
ChannelFuture ccf = cb.connect(serverChannel.localAddress());
assertTrue(ccf.awaitUninterruptibly().isSuccess());
clientChannel = ccf.channel();
assertTrue(serverApnDoneLatch.await(5, TimeUnit.SECONDS));
assertTrue(clientApnDoneLatch.await(5, TimeUnit.SECONDS));
assertThat(handler.hostname(), is("sni.fake.site"));
assertThat(handler.sslContext(), is(sniContext));
} finally {
if (serverChannel != null) {
serverChannel.close().sync();
} }
}); if (clientChannel != null) {
clientChannel.close().sync();
Bootstrap cb = new Bootstrap();
cb.group(group);
cb.channel(NioSocketChannel.class);
cb.handler(new ChannelInitializer<Channel>() {
@Override
protected void initChannel(Channel ch) throws Exception {
ch.pipeline().addLast(new SslHandler(clientContext.newEngine(
ch.alloc(), "sni.fake.site", -1)));
// Catch the notification event that APN has completed successfully.
ch.pipeline().addLast(new ApplicationProtocolNegotiationHandler("foo") {
@Override
protected void configurePipeline(ChannelHandlerContext ctx, String protocol) throws Exception {
clientApnDoneLatch.countDown();
}
});
} }
}); group.shutdownGracefully(0, 0, TimeUnit.MICROSECONDS);
}
serverChannel = sb.bind(new InetSocketAddress(0)).sync().channel();
ChannelFuture ccf = cb.connect(serverChannel.localAddress());
assertTrue(ccf.awaitUninterruptibly().isSuccess());
clientChannel = ccf.channel();
assertTrue(serverApnDoneLatch.await(5, TimeUnit.SECONDS));
assertTrue(clientApnDoneLatch.await(5, TimeUnit.SECONDS));
assertThat(handler.hostname(), is("sni.fake.site"));
assertThat(handler.sslContext(), is(sniContext));
} finally { } finally {
if (serverChannel != null) { releaseAll(clientContext, nettyContext, sniContext);
serverChannel.close().sync();
}
if (clientChannel != null) {
clientChannel.close().sync();
}
group.shutdownGracefully(0, 0, TimeUnit.MICROSECONDS);
} }
} }
@Test(timeout = 10L * 1000L) @Test(timeout = 10L * 1000L)
public void testReplaceHandler() throws Exception { public void testReplaceHandler() throws Exception {
switch (provider) {
case OPENSSL:
case OPENSSL_REFCNT:
final String sniHost = "sni.netty.io";
LocalAddress address = new LocalAddress("testReplaceHandler-" + Math.random());
EventLoopGroup group = new DefaultEventLoopGroup(1);
Channel sc = null;
Channel cc = null;
SslContext sslContext = null;
assumeTrue(OpenSsl.isAvailable()); SelfSignedCertificate cert = new SelfSignedCertificate();
final String sniHost = "sni.netty.io"; try {
LocalAddress address = new LocalAddress("testReplaceHandler-" + Math.random()); final SslContext sslServerContext = SslContextBuilder
EventLoopGroup group = new DefaultEventLoopGroup(1); .forServer(cert.key(), cert.cert())
Channel sc = null; .sslProvider(provider)
Channel cc = null; .build();
SelfSignedCertificate cert = new SelfSignedCertificate(); final Mapping<String, SslContext> mapping = new Mapping<String, SslContext>() {
@Override
public SslContext map(String input) {
return sslServerContext;
}
};
try { final Promise<Void> releasePromise = group.next().newPromise();
final SslContext sslServerContext = SslContextBuilder
.forServer(cert.key(), cert.cert())
.sslProvider(SslProvider.OPENSSL)
.build();
final Mapping<String, SslContext> mapping = new Mapping<String, SslContext>() { final SniHandler handler = new SniHandler(mapping) {
@Override @Override
public SslContext map(String input) { protected void replaceHandler(ChannelHandlerContext ctx,
return sslServerContext; String hostname, final SslContext sslContext)
} throws Exception {
};
final Promise<Void> releasePromise = group.next().newPromise(); boolean success = false;
try {
// The SniHandler's replaceHandler() method allows us to implement custom behavior.
// As an example, we want to release() the SslContext upon channelInactive() or rather
// when the SslHandler closes it's SslEngine. If you take a close look at SslHandler
// you'll see that it's doing it in the #handlerRemoved0() method.
final SniHandler handler = new SniHandler(mapping) { SSLEngine sslEngine = sslContext.newEngine(ctx.alloc());
@Override try {
protected void replaceHandler(ChannelHandlerContext ctx, SslHandler customSslHandler = new CustomSslHandler(sslContext, sslEngine) {
String hostname, final SslContext sslContext) @Override
throws Exception { public void handlerRemoved0(ChannelHandlerContext ctx) throws Exception {
try {
boolean success = false; super.handlerRemoved0(ctx);
try { } finally {
// The SniHandler's replaceHandler() method allows us to implement custom behavior. releasePromise.trySuccess(null);
// As an example, we want to release() the SslContext upon channelInactive() or rather }
// when the SslHandler closes it's SslEngine. If you take a close look at SslHandler }
// you'll see that it's doing it in the #handlerRemoved0() method. };
ctx.pipeline().replace(this, CustomSslHandler.class.getName(), customSslHandler);
SSLEngine sslEngine = sslContext.newEngine(ctx.alloc()); success = true;
try { } finally {
SslHandler customSslHandler = new CustomSslHandler(sslContext, sslEngine) { if (!success) {
@Override ReferenceCountUtil.safeRelease(sslEngine);
public void handlerRemoved0(ChannelHandlerContext ctx) throws Exception {
try {
super.handlerRemoved0(ctx);
} finally {
releasePromise.trySuccess(null);
} }
} }
}; } finally {
ctx.pipeline().replace(this, CustomSslHandler.class.getName(), customSslHandler); if (!success) {
success = true; ReferenceCountUtil.safeRelease(sslContext);
} finally { releasePromise.cancel(true);
if (!success) { }
ReferenceCountUtil.safeRelease(sslEngine);
} }
} }
} finally { };
if (!success) {
ReferenceCountUtil.safeRelease(sslContext); ServerBootstrap sb = new ServerBootstrap();
releasePromise.cancel(true); sc = sb.group(group).channel(LocalServerChannel.class)
.childHandler(new ChannelInitializer<Channel>() {
@Override
protected void initChannel(Channel ch) throws Exception {
ch.pipeline().addFirst(handler);
} }
}).bind(address).syncUninterruptibly().channel();
sslContext = SslContextBuilder.forClient().sslProvider(provider)
.trustManager(InsecureTrustManagerFactory.INSTANCE).build();
Bootstrap cb = new Bootstrap();
cc = cb.group(group).channel(LocalChannel.class).handler(new SslHandler(
sslContext.newEngine(ByteBufAllocator.DEFAULT, sniHost, -1)))
.connect(address).syncUninterruptibly().channel();
cc.writeAndFlush(Unpooled.wrappedBuffer("Hello, World!".getBytes()))
.syncUninterruptibly();
// Notice how the server's SslContext refCnt is 1
assertEquals(1, ((ReferenceCounted) sslServerContext).refCnt());
// The client disconnects
cc.close().syncUninterruptibly();
if (!releasePromise.awaitUninterruptibly(10L, TimeUnit.SECONDS)) {
throw new IllegalStateException("It doesn't seem #replaceHandler() got called.");
} }
// We should have successfully release() the SslContext
assertEquals(0, ((ReferenceCounted) sslServerContext).refCnt());
} finally {
if (cc != null) {
cc.close().syncUninterruptibly();
}
if (sc != null) {
sc.close().syncUninterruptibly();
}
if (sslContext != null) {
ReferenceCountUtil.release(sslContext);
}
group.shutdownGracefully();
cert.delete();
} }
}; case JDK:
return;
ServerBootstrap sb = new ServerBootstrap(); default:
sc = sb.group(group).channel(LocalServerChannel.class).childHandler(new ChannelInitializer<Channel>() { throw new Error();
@Override
protected void initChannel(Channel ch) throws Exception {
ch.pipeline().addFirst(handler);
}
}).bind(address).syncUninterruptibly().channel();
SslContext sslContext = SslContextBuilder.forClient().trustManager(InsecureTrustManagerFactory.INSTANCE)
.build();
Bootstrap cb = new Bootstrap();
cc = cb.group(group).channel(LocalChannel.class).handler(new SslHandler(
sslContext.newEngine(ByteBufAllocator.DEFAULT, sniHost, -1)))
.connect(address).syncUninterruptibly().channel();
cc.writeAndFlush(Unpooled.wrappedBuffer("Hello, World!".getBytes()))
.syncUninterruptibly();
// Notice how the server's SslContext refCnt is 1
assertEquals(1, ((ReferenceCounted) sslServerContext).refCnt());
// The client disconnects
cc.close().syncUninterruptibly();
if (!releasePromise.awaitUninterruptibly(10L, TimeUnit.SECONDS)) {
throw new IllegalStateException("It doesn't seem #replaceHandler() got called.");
}
// We should have successfully release() the SslContext
assertEquals(0, ((ReferenceCounted) sslServerContext).refCnt());
} finally {
if (cc != null) {
cc.close().syncUninterruptibly();
}
if (sc != null) {
sc.close().syncUninterruptibly();
}
group.shutdownGracefully();
cert.delete();
} }
} }
@ -384,4 +457,10 @@ public class SniHandlerTest {
ReferenceCountUtil.release(sslContext); ReferenceCountUtil.release(sslContext);
} }
} }
private static void releaseAll(SslContext... contexts) {
for (SslContext ctx: contexts) {
ReferenceCountUtil.release(ctx);
}
}
} }