Skip to content

Commit

Permalink
Don't reset BCSSLParameters when setting application protocols (#13262)
Browse files Browse the repository at this point in the history 
Motivation:

We had a bug that lead to resetting the BCSSLParameters during setting the applications protocols.

Modifications:

Retrieve already configured BCSSLParameters and use these to set the application protocol

Result:

Fixes #13261
  • Loading branch information
@normanmaurer
normanmaurer committed Mar 9, 2023
1 parent c353f4f commit 8fac718
Showing 1 changed file with 24 additions and 17 deletions.
41 changes: 24 additions & 17 deletions handler/src/main/java/io/netty/handler/ssl/BouncyCastleAlpnSslUtils.java
View file
Expand Up @@ -17,13 +17,13 @@


import io.netty.util.internal.EmptyArrays;
import io.netty.util.internal.PlatformDependent;
import io.netty.util.internal.SuppressJava6Requirement;
import io.netty.util.internal.logging.InternalLogger;
import io.netty.util.internal.logging.InternalLoggerFactory;

import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Method;
import java.lang.reflect.Proxy;
Expand All @@ -37,8 +37,8 @@
@SuppressJava6Requirement(reason = "Usage guarded by java version check")
final class BouncyCastleAlpnSslUtils {
private static final InternalLogger logger = InternalLoggerFactory.getInstance(BouncyCastleAlpnSslUtils.class);
private static final Class BC_SSL_PARAMETERS;
private static final Method SET_PARAMETERS;
private static final Method GET_PARAMETERS;
private static final Method SET_APPLICATION_PROTOCOLS;
private static final Method GET_APPLICATION_PROTOCOL;
private static final Method GET_HANDSHAKE_APPLICATION_PROTOCOL;
Expand All @@ -49,7 +49,7 @@ final class BouncyCastleAlpnSslUtils {

static {
Class bcSslEngine;
Class bcSslParameters;
Method getParameters;
Method setParameters;
Method setApplicationProtocols;
Method getApplicationProtocol;
Expand All @@ -63,10 +63,6 @@ final class BouncyCastleAlpnSslUtils {
bcSslEngine = Class.forName("org.bouncycastle.jsse.BCSSLEngine");
final Class testBCSslEngine = bcSslEngine;

bcSslParameters = Class.forName("org.bouncycastle.jsse.BCSSLParameters");
Object bcSslParametersInstance = bcSslParameters.newInstance();
final Class testBCSslParameters = bcSslParameters;

bcApplicationProtocolSelector =
Class.forName("org.bouncycastle.jsse.BCApplicationProtocolSelector");

Expand All @@ -82,21 +78,32 @@ public Method run() throws Exception {

SSLContext context = getSSLContext("BCJSSE");
SSLEngine engine = context.createSSLEngine();

getParameters = AccessController.doPrivileged(new PrivilegedExceptionAction<Method>() {
@Override
public Method run() throws Exception {
return testBCSslEngine.getMethod("getParameters");
}
});

final Object bcSslParameters = getParameters.invoke(engine);
final Class<?> bCSslParametersClass = bcSslParameters.getClass();

setParameters = AccessController.doPrivileged(new PrivilegedExceptionAction<Method>() {
@Override
public Method run() throws Exception {
return testBCSslEngine.getMethod("setParameters", testBCSslParameters);
return testBCSslEngine.getMethod("setParameters", bCSslParametersClass);
}
});
setParameters.invoke(engine, bcSslParametersInstance);
setParameters.invoke(engine, bcSslParameters);

setApplicationProtocols = AccessController.doPrivileged(new PrivilegedExceptionAction<Method>() {
@Override
public Method run() throws Exception {
return testBCSslParameters.getMethod("setApplicationProtocols", String[].class);
return bCSslParametersClass.getMethod("setApplicationProtocols", String[].class);
}
});
setApplicationProtocols.invoke(bcSslParametersInstance, new Object[]{EmptyArrays.EMPTY_STRINGS});
setApplicationProtocols.invoke(bcSslParameters, new Object[]{EmptyArrays.EMPTY_STRINGS});

getApplicationProtocol = AccessController.doPrivileged(new PrivilegedExceptionAction<Method>() {
@Override
Expand Down Expand Up @@ -134,8 +141,8 @@ public Method run() throws Exception {

} catch (Throwable t) {
logger.error("Unable to initialize BouncyCastleAlpnSslUtils.", t);
bcSslParameters = null;
setParameters = null;
getParameters = null;
setApplicationProtocols = null;
getApplicationProtocol = null;
getHandshakeApplicationProtocol = null;
Expand All @@ -144,8 +151,8 @@ public Method run() throws Exception {
bcApplicationProtocolSelectorSelect = null;
bcApplicationProtocolSelector = null;
}
BC_SSL_PARAMETERS = bcSslParameters;
SET_PARAMETERS = setParameters;
GET_PARAMETERS = getParameters;
SET_APPLICATION_PROTOCOLS = setApplicationProtocols;
GET_APPLICATION_PROTOCOL = getApplicationProtocol;
GET_HANDSHAKE_APPLICATION_PROTOCOL = getHandshakeApplicationProtocol;
Expand All @@ -169,19 +176,19 @@ static String getApplicationProtocol(SSLEngine sslEngine) {
}

static void setApplicationProtocols(SSLEngine engine, List<String> supportedProtocols) {
SSLParameters parameters = engine.getSSLParameters();

String[] protocolArray = supportedProtocols.toArray(EmptyArrays.EMPTY_STRINGS);
try {
Object bcSslParameters = BC_SSL_PARAMETERS.newInstance();
Object bcSslParameters = GET_PARAMETERS.invoke(engine);
SET_APPLICATION_PROTOCOLS.invoke(bcSslParameters, new Object[]{protocolArray});
SET_PARAMETERS.invoke(engine, bcSslParameters);
} catch (UnsupportedOperationException ex) {
throw ex;
} catch (Exception ex) {
throw new IllegalStateException(ex);
}
engine.setSSLParameters(parameters);
if (PlatformDependent.javaVersion() >= 9) {
JdkAlpnSslUtils.setApplicationProtocols(engine, supportedProtocols);
}
}

static String getHandshakeApplicationProtocol(SSLEngine sslEngine) {
Expand Down

0 comments on commit 8fac718

Please sign in to comment.