Fixes #1228 - Internal error during SSL handshake.

Added a guard to avoid unwrapping during handshake if SSLEngine is already closed.
2017-01-10 15:05:40 +01:00 · 2017-01-10 15:05:40 +01:00 · b8986d5812
parent d2b8980243
commit b8986d5812
2 changed files with 97 additions and 0 deletions
--- a/jetty-client/src/test/java/org/eclipse/jetty/client/ssl/SslConnectionTest.java
+++ b/jetty-client/src/test/java/org/eclipse/jetty/client/ssl/SslConnectionTest.java
@ -0,0 +1,94 @@
+//
+//  ========================================================================
+//  Copyright (c) 1995-2016 Mort Bay Consulting Pty. Ltd.
+//  ------------------------------------------------------------------------
+//  All rights reserved. This program and the accompanying materials
+//  are made available under the terms of the Eclipse Public License v1.0
+//  and Apache License v2.0 which accompanies this distribution.
+//
+//      The Eclipse Public License is available at
+//      http://www.eclipse.org/legal/epl-v10.html
+//
+//      The Apache License v2.0 is available at
+//      http://www.opensource.org/licenses/apache2.0.php
+//
+//  You may elect to redistribute this code under either of these licenses.
+//  ========================================================================
+//
+
+package org.eclipse.jetty.client.ssl;
+
+import java.io.File;
+import java.nio.ByteBuffer;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLHandshakeException;
+
+import org.eclipse.jetty.io.AbstractConnection;
+import org.eclipse.jetty.io.ByteArrayEndPoint;
+import org.eclipse.jetty.io.ByteBufferPool;
+import org.eclipse.jetty.io.EndPoint;
+import org.eclipse.jetty.io.MappedByteBufferPool;
+import org.eclipse.jetty.io.ssl.SslConnection;
+import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
+import org.eclipse.jetty.util.BufferUtil;
+import org.eclipse.jetty.util.ssl.SslContextFactory;
+import org.eclipse.jetty.util.thread.QueuedThreadPool;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class SslConnectionTest
+{
+    @Test
+    public void testSslConnectionClosedBeforeFill() throws Exception
+    {
+        File keyStore = MavenTestingUtils.getTestResourceFile("keystore.jks");
+        SslContextFactory sslContextFactory = new SslContextFactory();
+        sslContextFactory.setKeyStorePath(keyStore.getAbsolutePath());
+        sslContextFactory.setKeyStorePassword("storepwd");
+        sslContextFactory.start();
+
+        ByteBufferPool byteBufferPool = new MappedByteBufferPool();
+        QueuedThreadPool threadPool = new QueuedThreadPool();
+        threadPool.start();
+        ByteArrayEndPoint endPoint = new ByteArrayEndPoint();
+        SSLEngine sslEngine = sslContextFactory.newSSLEngine();
+        sslEngine.setUseClientMode(false);
+        SslConnection sslConnection = new SslConnection(byteBufferPool, threadPool, endPoint, sslEngine);
+        EndPoint sslEndPoint = sslConnection.getDecryptedEndPoint();
+        sslEndPoint.setConnection(new AbstractConnection(sslEndPoint, threadPool)
+        {
+            @Override
+            public void onFillable()
+            {
+            }
+        });
+
+        // There are no bytes in the endPoint, so we fill zero.
+        // However, this will trigger state changes in SSLEngine
+        // that will later cause it to throw ISE("Internal error").
+        sslEndPoint.fill(BufferUtil.EMPTY_BUFFER);
+
+        // Close the connection before filling.
+        sslEndPoint.shutdownOutput();
+
+        // Put some bytes in the endPoint to trigger
+        // the required state changes in SSLEngine.
+        byte[] bytes = new byte[]{0x16, 0x03, 0x03, 0x00, 0x00};
+        endPoint.addInput(ByteBuffer.wrap(bytes));
+
+        // This attempt to read, if not guarded, throws ISE("Internal error").
+        // We want SSLHandshakeException to be thrown instead, because it is
+        // handled better (it is an IOException) by the Connection code that
+        // reads from the EndPoint.
+        try
+        {
+            sslEndPoint.fill(BufferUtil.EMPTY_BUFFER);
+            Assert.fail();
+        }
+        catch (SSLHandshakeException x)
+        {
+            // Expected.
+        }
+    }
+}
--- a/jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslConnection.java
+++ b/jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslConnection.java
@ -542,6 +542,9 @@ public class SslConnection extends AbstractConnection
                            // Let's try reading some encrypted data... even if we have some already.
                            int net_filled = getEndPoint().fill(_encryptedInput);

+                            if (net_filled > 0 && !_handshaken && _sslEngine.isOutboundDone())
+                                throw new SSLHandshakeException("Closed during handshake");
+
                            decryption: while (true)
                            {
                                // Let's unwrap even if we have no net data because in that