Attachment 35056 Details for Bug 60461 – Patch for OpenSSLEngine

[patch] Patch for OpenSSLEngine

sslengine_crash.patch (text/plain), 5.29 KB, created by Remy Maucherat on 2017-06-14 11:54:47 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Remy Maucherat

Created: 2017-06-14 11:54:47 UTC

Size: 5.29 KB

patch

obsolete

>Index: java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
>===================================================================
>--- java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java	(revision 1798660)
>+++ java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java	(working copy)
>@@ -1041,8 +1041,13 @@
> 
>         @Override
>         public byte[] getId() {
>-            // We don't cache that to keep memory usage to a minimum.
>-            byte[] id = SSL.getSessionId(ssl);
>+            byte[] id;
>+            synchronized (OpenSSLEngine.this) {
>+                if (destroyed) {
>+                    throw new IllegalStateException(sm.getString("engine.noSession"));
>+                }
>+                id = SSL.getSessionId(ssl);
>+            }
>             if (id == null) {
>                 // The id should never be null, if it was null then the SESSION itself was not valid.
>                 throw new IllegalStateException(sm.getString("engine.noSession"));
>@@ -1058,7 +1063,14 @@
>         @Override
>         public long getCreationTime() {
>             // We need to multiply by 1000 as OpenSSL uses seconds and we need milliseconds.
>-            return SSL.getTime(ssl) * 1000L;
>+            long creationTime = 0;
>+            synchronized (OpenSSLEngine.this) {
>+                if (destroyed) {
>+                    throw new IllegalStateException(sm.getString("engine.noSession"));
>+                }
>+                creationTime = SSL.getTime(ssl);
>+            }
>+            return creationTime * 1000L;
>         }
> 
>         @Override
>@@ -1140,19 +1152,22 @@
>             // these are lazy created to reduce memory overhead
>             Certificate[] c = peerCerts;
>             if (c == null) {
>-                if (SSL.isInInit(ssl) != 0) {
>-                    throw new SSLPeerUnverifiedException(sm.getString("engine.unverifiedPeer"));
>-                }
>-                byte[][] chain = SSL.getPeerCertChain(ssl);
>                 byte[] clientCert;
>-                if (!clientMode) {
>-                    // if used on the server side SSL_get_peer_cert_chain(...) will not include the remote peer certificate.
>-                    // We use SSL_get_peer_certificate to get it in this case and add it to our array later.
>-                    //
>-                    // See https://www.openssl.org/docs/ssl/SSL_get_peer_cert_chain.html
>-                    clientCert = SSL.getPeerCertificate(ssl);
>-                } else {
>-                    clientCert = null;
>+                byte[][] chain;
>+                synchronized (OpenSSLEngine.this) {
>+                    if (destroyed || SSL.isInInit(ssl) != 0) {
>+                        throw new SSLPeerUnverifiedException(sm.getString("engine.unverifiedPeer"));
>+                    }
>+                    chain = SSL.getPeerCertChain(ssl);
>+                    if (!clientMode) {
>+                        // if used on the server side SSL_get_peer_cert_chain(...) will not include the remote peer certificate.
>+                        // We use SSL_get_peer_certificate to get it in this case and add it to our array later.
>+                        //
>+                        // See https://www.openssl.org/docs/ssl/SSL_get_peer_cert_chain.html
>+                        clientCert = SSL.getPeerCertificate(ssl);
>+                    } else {
>+                        clientCert = null;
>+                    }
>                 }
>                 if (chain == null && clientCert == null) {
>                     return null;
>@@ -1193,10 +1208,13 @@
>             // these are lazy created to reduce memory overhead
>             X509Certificate[] c = x509PeerCerts;
>             if (c == null) {
>-                if (SSL.isInInit(ssl) != 0) {
>-                    throw new SSLPeerUnverifiedException(sm.getString("engine.unverifiedPeer"));
>+                byte[][] chain;
>+                synchronized (OpenSSLEngine.this) {
>+                    if (destroyed || SSL.isInInit(ssl) != 0) {
>+                        throw new SSLPeerUnverifiedException(sm.getString("engine.unverifiedPeer"));
>+                    }
>+                    chain = SSL.getPeerCertChain(ssl);
>                 }
>-                byte[][] chain = SSL.getPeerCertChain(ssl);
>                 if (chain == null) {
>                     throw new SSLPeerUnverifiedException(sm.getString("engine.unverifiedPeer"));
>                 }
>@@ -1241,7 +1259,14 @@
>                 return INVALID_CIPHER;
>             }
>             if (cipher == null) {
>-                String c = OpenSSLCipherConfigurationParser.openSSLToJsse(SSL.getCipherForSSL(ssl));
>+                String ciphers;
>+                synchronized (OpenSSLEngine.this) {
>+                    if (destroyed) {
>+                        return INVALID_CIPHER;
>+                    }
>+                    ciphers = SSL.getCipherForSSL(ssl);
>+                }
>+                String c = OpenSSLCipherConfigurationParser.openSSLToJsse(ciphers);
>                 if (c != null) {
>                     cipher = c;
>                 }
>@@ -1251,6 +1276,7 @@
> 
>         @Override
>         public String getProtocol() {
>+            // No sync as ALPN is called when opening the connection
>             String applicationProtocol = OpenSSLEngine.this.applicationProtocol;
>             if (applicationProtocol == null) {
>                 applicationProtocol = SSL.getNextProtoNegotiated(ssl);
>

Actions: View | Diff

Attachments on bug 60461: 34512 | 34790 | 35004 | 35051 | 35056 | 35069