Introduce helper method to detect if a buffer is encrypted. See #657

This commit is contained in:
Norman Maurer 2012-10-16 13:44:30 +02:00
parent 303fb80d34
commit 9e6c616c35

View File

@ -646,17 +646,45 @@ public class SslHandler
return false;
}
@Override
public void inboundBufferUpdated(final ChannelHandlerContext ctx) throws Exception {
final ByteBuf in = ctx.inboundByteBuffer();
/**
* Returns <code>true</code> if the given {@link ByteBuf} is encrypted. Be aware that this method
* will not increase the readerIndex of the given {@link ByteBuf}.
*
* @param buffer
* The {@link ByteBuf} to read from. Be aware that it must have at least 5 bytes to read,
* otherwise it will throw an {@link IllegalArgumentException}.
* @return encrypted
* <code>true</code> if the {@link ByteBuf} is encrypted, <code>false</code> otherwise.
* @throws IllegalArgumentException
* Is thrown if the given {@link ByteBuf} has not at least 5 bytes to read.
*/
public static boolean isEncrypted(ByteBuf buffer) {
return getEncryptedPacketLength(buffer) != -1;
}
if (in.readableBytes() < 5) {
return;
/**
* Return how much bytes can be read out of the encrypted data. Be aware that this method will not increase
* the readerIndex of the given {@link ByteBuf}.
*
* @param buffer
* The {@link ByteBuf} to read from. Be aware that it must have at least 5 bytes to read,
* otherwise it will throw an {@link IllegalArgumentException}.
* @return length
* The length of the encrypted packet that is included in the buffer. This will
* return <code>-1</code> if the given {@link ByteBuf} is not encrypted at all.
* @throws IllegalArgumentException
* Is thrown if the given {@link ByteBuf} has not at least 5 bytes to read.
*/
private static int getEncryptedPacketLength(ByteBuf buffer) {
if (buffer.readableBytes() < 5) {
throw new IllegalArgumentException("buffer must have at least 5 readable bytes");
}
int packetLength = 0;
// SSLv3 or TLS - Check ContentType
boolean tls;
switch (in.getUnsignedByte(in.readerIndex())) {
switch (buffer.getUnsignedByte(buffer.readerIndex())) {
case 20: // change_cipher_spec
case 21: // alert
case 22: // handshake
@ -668,13 +696,12 @@ public class SslHandler
tls = false;
}
int packetLength = -1;
if (tls) {
// SSLv3 or TLS - Check ProtocolVersion
int majorVersion = in.getUnsignedByte(in.readerIndex() + 1);
int majorVersion = buffer.getUnsignedByte(buffer.readerIndex() + 1);
if (majorVersion == 3) {
// SSLv3 or TLS
packetLength = (getShort(in, in.readerIndex() + 3) & 0xFFFF) + 5;
packetLength = (getShort(buffer, buffer.readerIndex() + 3) & 0xFFFF) + 5;
if (packetLength <= 5) {
// Neither SSLv3 or TLSv1 (i.e. SSLv2 or bad data)
tls = false;
@ -688,16 +715,16 @@ public class SslHandler
if (!tls) {
// SSLv2 or bad data - Check the version
boolean sslv2 = true;
int headerLength = (in.getUnsignedByte(
in.readerIndex()) & 0x80) != 0 ? 2 : 3;
int majorVersion = in.getUnsignedByte(
in.readerIndex() + headerLength + 1);
int headerLength = (buffer.getUnsignedByte(
buffer.readerIndex()) & 0x80) != 0 ? 2 : 3;
int majorVersion = buffer.getUnsignedByte(
buffer.readerIndex() + headerLength + 1);
if (majorVersion == 2 || majorVersion == 3) {
// SSLv2
if (headerLength == 2) {
packetLength = (getShort(in, in.readerIndex()) & 0x7FFF) + 2;
packetLength = (getShort(buffer, buffer.readerIndex()) & 0x7FFF) + 2;
} else {
packetLength = (getShort(in, in.readerIndex()) & 0x3FFF) + 3;
packetLength = (getShort(buffer, buffer.readerIndex()) & 0x3FFF) + 3;
}
if (packetLength <= headerLength) {
sslv2 = false;
@ -707,15 +734,31 @@ public class SslHandler
}
if (!sslv2) {
// Bad data - discard the buffer and raise an exception.
NotSslRecordException e = new NotSslRecordException(
"not an SSL/TLS record: " + ByteBufUtil.hexDump(in));
in.skipBytes(in.readableBytes());
ctx.fireExceptionCaught(e);
setHandshakeFailure(e);
return;
return -1;
}
}
return packetLength;
}
@Override
public void inboundBufferUpdated(final ChannelHandlerContext ctx) throws Exception {
final ByteBuf in = ctx.inboundByteBuffer();
if (in.readableBytes() < 5) {
return;
}
int packetLength = getEncryptedPacketLength(in);
if (packetLength == -1) {
// Bad data - discard the buffer and raise an exception.
NotSslRecordException e = new NotSslRecordException(
"not an SSL/TLS record: " + ByteBufUtil.hexDump(in));
in.skipBytes(in.readableBytes());
ctx.fireExceptionCaught(e);
setHandshakeFailure(e);
return;
}
assert packetLength > 0;