Allow to unwrap ByteBuffer > MAX_ENCRYPTED_PACKET_LENGTH

Motivation: We should remove the restriction to only allow to call unwrap with a ByteBuffer[] whose cumulative length exceeds MAX_ENCRYPTED_PACKET_LENGTH. Modifications: Remove guard. Result: Fixes [#6335].
2017-02-08 21:55:10 +01:00 · 2017-02-08 21:55:10 +01:00 · d873adf2a3
commit d873adf2a3
parent 1a684f4882
2 changed files with 50 additions and 6 deletions
--- a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java
+++ b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslEngine.java
@ -783,12 +783,6 @@ public class ReferenceCountedOpenSslEngine extends SSLEngine implements Referenc
                return isOutboundDone() || isDestroyed() ? CLOSED_NOT_HANDSHAKING : NEED_WRAP_CLOSED;
            }
            // protect against protocol overflow attack vector
            if (len > MAX_ENCRYPTED_PACKET_LENGTH) {
                shutdown();
                throw ENCRYPTED_PACKET_OVERSIZED;
            }
            SSLEngineResult.HandshakeStatus status = NOT_HANDSHAKING;
            // Prepare OpenSSL to work in server mode and receive handshake
            if (handshakeState != HandshakeState.FINISHED) {
--- a/handler/src/test/java/io/netty/handler/ssl/SSLEngineTest.java
+++ b/handler/src/test/java/io/netty/handler/ssl/SSLEngineTest.java
@ -1696,6 +1696,56 @@ public abstract class SSLEngineTest {
        }
    }
    @Test
    public void testMultipleRecordsInOneBufferBiggerThenPacketBufferSize() throws Exception {
        SelfSignedCertificate cert = new SelfSignedCertificate();
        clientSslCtx = SslContextBuilder
                .forClient()
                .trustManager(cert.cert())
                .sslProvider(sslClientProvider())
                .build();
        SSLEngine client = clientSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);
        serverSslCtx = SslContextBuilder
                .forServer(cert.certificate(), cert.privateKey())
                .sslProvider(sslServerProvider())
                .build();
        SSLEngine server = serverSslCtx.newEngine(UnpooledByteBufAllocator.DEFAULT);
        try {
            ByteBuffer plainClientOut = allocateBuffer(4096);
            ByteBuffer plainServerOut = allocateBuffer(server.getSession().getApplicationBufferSize());
            ByteBuffer encClientToServer = allocateBuffer(server.getSession().getPacketBufferSize() * 2);
            handshake(client, server);
            int srcLen = plainClientOut.remaining();
            SSLEngineResult result;
            while (encClientToServer.position() <= server.getSession().getPacketBufferSize()) {
                result = client.wrap(plainClientOut, encClientToServer);
                assertEquals(SSLEngineResult.Status.OK, result.getStatus());
                assertEquals(srcLen, result.bytesConsumed());
                assertTrue(result.bytesProduced() > 0);
                plainClientOut.clear();
            }
            encClientToServer.flip();
            result = server.unwrap(encClientToServer, plainServerOut);
            assertEquals(SSLEngineResult.Status.OK, result.getStatus());
            assertTrue(result.bytesConsumed() > 0);
            assertTrue(result.bytesProduced() > 0);
        } finally {
            cert.delete();
            cleanupClientSslEngine(client);
            cleanupServerSslEngine(server);
        }
    }
    @Test
    public void testBufferUnderFlow() throws Exception {
        SelfSignedCertificate cert = new SelfSignedCertificate();