Allow to unwrap ByteBuffer > MAX_ENCRYPTED_PACKET_LENGTH

Motivation: We should remove the restriction to only allow to call unwrap with a ByteBuffer[] whose cumulative length exceeds MAX_ENCRYPTED_PACKET_LENGTH. Modifications: Remove guard. Result: Fixes [#6335].
2017-02-08 21:55:10 +01:00 · 2017-02-08 21:55:10 +01:00 · adcde84253
commit adcde84253
parent 0cf3f54a8d
2 changed files with 50 additions and 6 deletions
--- a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java
+++ b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java
@ -804,12 +804,6 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc
                return isOutboundDone() || isDestroyed() ? CLOSED_NOT_HANDSHAKING : NEED_WRAP_CLOSED;
            }

-            // protect against protocol overflow attack vector
-            if (len > MAX_ENCRYPTED_PACKET_LENGTH) {
-                shutdown();
-                throw ENCRYPTED_PACKET_OVERSIZED;
-            }
-
            SSLEngineResult.HandshakeStatus status = NOT_HANDSHAKING;
            // Prepare OpenSSL to work in server mode and receive handshake
            if (handshakeState != HandshakeState.FINISHED) {
--- a/handler/src/test/java/io/netty/handler/ssl/SSLEngineTest.java
+++ b/handler/src/test/java/io/netty/handler/ssl/SSLEngineTest.java
@ -1701,6 +1701,56 @@ public abstract class SSLEngineTest {
        }
    }

+    @Test
+    public void testMultipleRecordsInOneBufferBiggerThenPacketBufferSize() throws Exception {
+        SelfSignedCertificate cert = new SelfSignedCertificate();
+
+        clientSslCtx = SslContextBuilder
+                .forClient()
+                .trustManager(cert.cert())
+                .sslProvider(sslClientProvider())
+                .build();
+        SSLEngine client = clientSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);
+
+        serverSslCtx = SslContextBuilder
+                .forServer(cert.certificate(), cert.privateKey())
+                .sslProvider(sslServerProvider())
+                .build();
+        SSLEngine server = serverSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);
+
+        try {
+            ByteBuffer plainClientOut = allocateBuffer(4096);
+            ByteBuffer plainServerOut = allocateBuffer(server.getSession().getApplicationBufferSize());
+
+            ByteBuffer encClientToServer = allocateBuffer(server.getSession().getPacketBufferSize() * 2);
+
+            handshake(client, server);
+
+            int srcLen = plainClientOut.remaining();
+            SSLEngineResult result;
+
+            while (encClientToServer.position() <= server.getSession().getPacketBufferSize()) {
+                result = client.wrap(plainClientOut, encClientToServer);
+                assertEquals(SSLEngineResult.Status.OK, result.getStatus());
+                assertEquals(srcLen, result.bytesConsumed());
+                assertTrue(result.bytesProduced() > 0);
+
+                plainClientOut.clear();
+            }
+
+            encClientToServer.flip();
+
+            result = server.unwrap(encClientToServer, plainServerOut);
+            assertEquals(SSLEngineResult.Status.OK, result.getStatus());
+            assertTrue(result.bytesConsumed() > 0);
+            assertTrue(result.bytesProduced() > 0);
+        } finally {
+            cert.delete();
+            cleanupClientSslEngine(client);
+            cleanupServerSslEngine(server);
+        }
+    }
+
    @Test
    public void testBufferUnderFlow() throws Exception {
        SelfSignedCertificate cert = new SelfSignedCertificate();