8331682: Slow networks/Impatient clients can potentially send unencrypted TLSv1.3 alerts that won't parse on the server

Reviewed-by: wetmore, djelinski, xuelei

src/java.base/share/classes/sun/security/ssl/SSLCipher.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -1859,10 +1859,20 @@ enum SSLCipher {
                 }
 
                 if (bb.remaining() <= tagSize) {
-                    throw new BadPaddingException(
-                        "Insufficient buffer remaining for AEAD cipher " +
-                        "fragment (" + bb.remaining() + "). Needs to be " +
-                        "more than tag size (" + tagSize + ")");
+                    // Check for unexpected plaintext alert.
+                    if (contentType == ContentType.ALERT.id
+                            && bb.remaining() == 2) {
+                        throw new GeneralSecurityException(String.format(
+                            "Unexpected plaintext alert received: " +
+                            "Level: %s; Alert: %s",
+                            Alert.Level.nameOf(bb.get(bb.position())),
+                            Alert.nameOf(bb.get(bb.position() + 1))));
+                    } else {
+                        throw new BadPaddingException(
+                            "Insufficient buffer remaining for AEAD cipher " +
+                            "fragment (" + bb.remaining() + "). Needs to be " +
+                            "more than tag size (" + tagSize + ")");
+                    }
                 }
 
                 byte[] sn = sequence;

test/jdk/sun/security/ssl/SSLCipher/SSLEngineNoServerHelloClientShutdown.java

@@ -0,0 +1,248 @@
+/*
+ * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+
+/*
+ * @test
+ * @bug 8331682
+ * @summary Slow networks/Impatient clients can potentially send
+ *          unencrypted TLSv1.3 alerts that won't parse on the server.
+ * @library /javax/net/ssl/templates /test/lib
+ * @run main/othervm SSLEngineNoServerHelloClientShutdown
+ */
+
+import static jdk.test.lib.Asserts.assertEquals;
+import static jdk.test.lib.Asserts.fail;
+import static jdk.test.lib.security.SecurityUtils.inspectTlsBuffer;
+
+import java.nio.ByteBuffer;
+import java.security.GeneralSecurityException;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLEngineResult;
+import javax.net.ssl.SSLEngineResult.HandshakeStatus;
+import javax.net.ssl.SSLProtocolException;
+import javax.net.ssl.SSLSession;
+
+/**
+ * A SSLEngine usage example which simplifies the presentation
+ * by removing the I/O and multi-threading concerns.
+ * <p>
+ * The test creates two SSLEngines, simulating a client and server.
+ * The "transport" layer consists two byte buffers:  think of them
+ * as directly connected pipes.
+ * <p>
+ * When this application runs, notice that several messages
+ * (wrap/unwrap) pass before any application data is consumed or
+ * produced.
+ */
+public class SSLEngineNoServerHelloClientShutdown extends SSLContextTemplate {
+
+    protected static final String EXCEPTION_MSG =
+        "Unexpected plaintext alert received: " +
+        "Level: warning; Alert: user_canceled";
+
+    protected SSLEngine clientEngine;     // client Engine
+    protected ByteBuffer clientOut;       // write side of clientEngine
+    protected final ByteBuffer clientIn;        // read side of clientEngine
+
+    protected final SSLEngine serverEngine;     // server Engine
+    protected final ByteBuffer serverOut;       // write side of serverEngine
+    protected final ByteBuffer serverIn;        // read side of serverEngine
+
+    protected ByteBuffer cTOs;        // "reliable" transport client->server
+    protected final ByteBuffer sTOc;  // "reliable" transport server->client
+
+    protected SSLEngineNoServerHelloClientShutdown() throws Exception {
+        serverEngine = configureServerEngine(
+                createServerSSLContext().createSSLEngine());
+
+        clientEngine = configureClientEngine(
+                createClientSSLContext().createSSLEngine());
+
+        // We'll assume the buffer sizes are the same between client and server.
+        SSLSession session = clientEngine.getSession();
+        int appBufferMax = session.getApplicationBufferSize();
+        int netBufferMax = session.getPacketBufferSize();
+
+        // We'll make the input buffers a bit bigger than the max needed
+        // size, so that unwrap()s following a successful data transfer
+        // won't generate BUFFER_OVERFLOWS.
+        clientIn = ByteBuffer.allocate(appBufferMax + 50);
+        serverIn = ByteBuffer.allocate(appBufferMax + 50);
+
+        cTOs = ByteBuffer.allocateDirect(netBufferMax * 2);
+        // Make it larger so subsequent server wraps won't generate
+        // BUFFER_OVERFLOWS
+        sTOc = ByteBuffer.allocateDirect(netBufferMax * 2);
+
+        clientOut = createClientOutputBuffer();
+        serverOut = createServerOutputBuffer();
+    }
+
+    protected ByteBuffer createServerOutputBuffer() {
+        return ByteBuffer.wrap("Hello Client, I'm Server".getBytes());
+    }
+
+    protected ByteBuffer createClientOutputBuffer() {
+        return ByteBuffer.wrap("Hi Server, I'm Client".getBytes());
+    }
+
+    /*
+     * Configure the client side engine.
+     */
+    protected SSLEngine configureClientEngine(SSLEngine clientEngine) {
+        clientEngine.setUseClientMode(true);
+        clientEngine.setEnabledProtocols(new String[] {"TLSv1.3"});
+        return clientEngine;
+    }
+
+    /*
+     * Configure the server side engine.
+     */
+    protected SSLEngine configureServerEngine(SSLEngine serverEngine) {
+        serverEngine.setUseClientMode(false);
+        serverEngine.setNeedClientAuth(true);
+        return serverEngine;
+    }
+
+    public static void main(String[] args) throws Exception {
+        new SSLEngineNoServerHelloClientShutdown().runTestUserCancelled();
+    }
+
+    //
+    // Private methods that used to build the common part of the test.
+    //
+
+    private void runTestUserCancelled() throws Exception {
+        SSLEngineResult clientResult;
+        SSLEngineResult serverResult;
+
+        log("=================");
+
+        // Client: produce client_hello
+        log("---Client Wrap client_hello---");
+        clientResult = clientEngine.wrap(clientOut, cTOs);
+        logEngineStatus(clientEngine, clientResult);
+        runDelegatedTasks(clientEngine);
+
+        cTOs.flip();
+
+        // Server: consume client_hello
+        log("---Server Unwrap client_hello---");
+        serverResult = serverEngine.unwrap(cTOs, serverIn);
+        logEngineStatus(serverEngine, serverResult);
+        runDelegatedTasks(serverEngine);
+
+        cTOs.compact();
+
+        // Server: produce server_hello
+        log("---Server Wrap server_hello---");
+        serverResult = serverEngine.wrap(serverOut, sTOc);
+        logEngineStatus(serverEngine, serverResult);
+        runDelegatedTasks(serverEngine);
+        // SH packet went missing.  Timeout on Client.
+
+        // Server: produce other outbound messages
+        log("---Server Wrap---");
+        serverResult = serverEngine.wrap(serverOut, sTOc);
+        logEngineStatus(serverEngine, serverResult);
+        runDelegatedTasks(serverEngine);
+        // CCS packet went missing.  Timeout on Client.
+
+        // Server: produce other outbound messages
+        log("---Server Wrap---");
+        serverResult = serverEngine.wrap(serverOut, sTOc);
+        logEngineStatus(serverEngine, serverResult);
+        runDelegatedTasks(serverEngine);
+        // EE/etc. packet went missing.  Timeout on Client.
+
+        // Shutdown client
+        log("---Client closeOutbound---");
+        clientEngine.closeOutbound();
+
+        // Client:  produce an unencrypted user_canceled
+        log("---Client Wrap user_canceled---");
+        clientResult = clientEngine.wrap(clientOut, cTOs);
+        logEngineStatus(clientEngine, clientResult);
+        runDelegatedTasks(clientEngine);
+
+        cTOs.flip();
+        inspectTlsBuffer(cTOs);
+
+        // Server unwrap should throw a proper exception when receiving an
+        // unencrypted 2 byte packet user_canceled alert.
+        log("---Server Unwrap user_canceled alert---");
+        try {
+            serverEngine.unwrap(cTOs, serverIn);
+        } catch (SSLProtocolException e) {
+            assertEquals(
+                GeneralSecurityException.class, e.getCause().getClass());
+            assertEquals(EXCEPTION_MSG, e.getCause().getMessage());
+            return;
+        }
+        fail("Server should have thrown SSLProtocolException");
+    }
+
+    protected static void logEngineStatus(SSLEngine engine) {
+        log("\tCurrent HS State: " + engine.getHandshakeStatus());
+        log("\tisInboundDone() : " + engine.isInboundDone());
+        log("\tisOutboundDone(): " + engine.isOutboundDone());
+    }
+
+    protected static void logEngineStatus(
+            SSLEngine engine, SSLEngineResult result) {
+        log("\tResult Status    : " + result.getStatus());
+        log("\tResult HS Status : " + result.getHandshakeStatus());
+        log("\tEngine HS Status : " + engine.getHandshakeStatus());
+        log("\tisInboundDone()  : " + engine.isInboundDone());
+        log("\tisOutboundDone() : " + engine.isOutboundDone());
+        log("\tMore Result      : " + result);
+    }
+
+    protected static void log(String message) {
+        System.err.println(message);
+    }
+
+    // If the result indicates that we have outstanding tasks to do,
+    // go ahead and run them in this thread.
+    protected static void runDelegatedTasks(SSLEngine engine)
+        throws Exception {
+
+        if (engine.getHandshakeStatus() == HandshakeStatus.NEED_TASK) {
+            Runnable runnable;
+            while ((runnable = engine.getDelegatedTask()) != null) {
+                log("    running delegated task...");
+                runnable.run();
+            }
+            HandshakeStatus hsStatus = engine.getHandshakeStatus();
+            if (hsStatus == HandshakeStatus.NEED_TASK) {
+                throw new Exception(
+                        "handshake shouldn't need additional tasks");
+            }
+            logEngineStatus(engine);
+        }
+    }
+}

test/jdk/sun/security/ssl/SSLCipher/SSLSocketNoServerHelloClientShutdown.java

@@ -0,0 +1,177 @@
+/*
+ * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8331682
+ * @summary Slow networks/Impatient clients can potentially send
+ *          unencrypted TLSv1.3 alerts that won't parse on the server.
+ * @library /javax/net/ssl/templates /test/lib
+ * @run main/othervm SSLSocketNoServerHelloClientShutdown
+ */
+
+import static jdk.test.lib.Asserts.assertEquals;
+import static jdk.test.lib.Asserts.assertTrue;
+import static jdk.test.lib.Asserts.fail;
+import static jdk.test.lib.security.SecurityUtils.inspectTlsBuffer;
+
+import java.io.InputStream;
+import java.net.InetSocketAddress;
+import java.nio.channels.SocketChannel;
+import java.security.GeneralSecurityException;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngineResult;
+import javax.net.ssl.SSLEngineResult.Status;
+import javax.net.ssl.SSLProtocolException;
+import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSocket;
+
+/**
+ * To reproduce @bug 8331682 (client sends an unencrypted TLS alert during
+ * TLSv1.3 handshake) with SSLSockets we use an SSLSocket on the server side
+ * and a plain TCP socket backed by SSLEngine on the client side.
+ */
+public class SSLSocketNoServerHelloClientShutdown
+    extends SSLEngineNoServerHelloClientShutdown {
+
+    private volatile Exception clientException;
+    private volatile Exception serverException;
+
+    public static void main(String[] args) throws Exception {
+        new SSLSocketNoServerHelloClientShutdown().runTest();
+    }
+
+    public SSLSocketNoServerHelloClientShutdown() throws Exception {
+        super();
+    }
+
+    private void runTest() throws Exception {
+        // Set up SSL server
+        SSLContext context = createServerSSLContext();
+        SSLServerSocketFactory sslssf = context.getServerSocketFactory();
+
+        try (SSLServerSocket serverSocket =
+            (SSLServerSocket) sslssf.createServerSocket()) {
+
+            serverSocket.setReuseAddress(false);
+            serverSocket.bind(null);
+            int port = serverSocket.getLocalPort();
+            log("Port: " + port);
+            Thread thread = createClientThread(port);
+
+            try {
+                // Server-side SSL socket that will read.
+                SSLSocket socket = (SSLSocket) serverSocket.accept();
+                socket.setSoTimeout(2000);
+                InputStream is = socket.getInputStream();
+                byte[] inbound = new byte[512];
+
+                log("===Server is ready and reading===");
+                if (is.read(inbound) > 0) {
+                    throw new Exception("Server returned data");
+                }
+            } catch (Exception e) {
+                serverException = e;
+                log(e.toString());
+            } finally {
+                thread.join();
+            }
+        } finally {
+            if (serverException != null) {
+                assertEquals(
+                    SSLProtocolException.class, serverException.getClass());
+                assertEquals(GeneralSecurityException.class,
+                             serverException.getCause().getClass());
+                assertEquals(
+                    EXCEPTION_MSG, serverException.getCause().getMessage());
+            } else {
+                fail("Server should have thrown SSLProtocolException");
+            }
+            if (clientException != null) {
+                throw clientException;
+            }
+        }
+    }
+
+    private Thread createClientThread(final int port) {
+
+        Thread t = new Thread("ClientThread") {
+            @Override
+            public void run() {
+                // Client-side plain TCP socket.
+                try (SocketChannel clientSocketChannel = SocketChannel.open(
+                        new InetSocketAddress("localhost", port))) {
+
+                    SSLEngineResult clientResult;
+                    clientSocketChannel.socket().setSoTimeout(500);
+
+                    log("=================");
+
+                    // Produce client_hello
+                    log("---Client Wrap client_hello---");
+                    clientResult = clientEngine.wrap(clientOut, cTOs);
+                    logEngineStatus(clientEngine, clientResult);
+                    runDelegatedTasks(clientEngine);
+
+                    // Shutdown client
+                    log("---Client closeOutbound---");
+                    clientEngine.closeOutbound();
+
+                    // Produce an unencrypted user_canceled
+                    log("---Client Wrap user_canceled---");
+                    clientResult = clientEngine.wrap(clientOut, cTOs);
+                    logEngineStatus(clientEngine, clientResult);
+                    runDelegatedTasks(clientEngine);
+
+                    // Produce an unencrypted close_notify
+                    log("---Client Wrap close_notify---");
+                    clientResult = clientEngine.wrap(clientOut, cTOs);
+                    logEngineStatus(clientEngine, clientResult);
+                    runDelegatedTasks(clientEngine);
+                    assertTrue(clientEngine.isOutboundDone());
+                    assertEquals(clientResult.getStatus(), Status.CLOSED);
+
+                    // Send client_hello, user_canceled alert and close_notify
+                    // alert to server. Server should throw a proper exception
+                    // when receiving an unencrypted 2 byte packet user_canceled
+                    // alert.
+                    cTOs.flip();
+                    inspectTlsBuffer(cTOs);
+                    log("---Client sends unencrypted alerts---");
+                    int len = clientSocketChannel.write(cTOs);
+
+                    // Give server a chance to read before we shutdown via
+                    // the try-with-resources block.
+                    Thread.sleep(2000);
+                } catch (Exception e) {
+                    clientException = e;
+                }
+            }
+        };
+
+        t.start();
+        return t;
+    }
+}

test/lib/jdk/test/lib/security/SecurityUtils.java

@@ -24,6 +24,8 @@
 package jdk.test.lib.security;
 
 import java.io.File;
+import java.io.IOException;
+import java.nio.ByteBuffer;
 import java.security.KeyStore;
 import java.security.Security;
 import java.util.Arrays;
@@ -185,5 +187,33 @@ public final class SecurityUtils {
         return false;
     }
 
+    public static void inspectTlsBuffer(ByteBuffer buffer) throws IOException {
+        if (buffer == null || !buffer.hasRemaining()) {
+            return;
+        }
+
+        ByteBuffer packet = buffer.slice();
+        System.err.printf("---TLS Buffer Inspection. Bytes Remaining: %d---\n",
+                          packet.remaining());
+
+        for (int i = 1; packet.position() < packet.limit(); i++) {
+            byte contentType = packet.get();                   // pos: 0
+            byte majorVersion = packet.get();                  // pos: 1
+            byte minorVersion = packet.get();                  // pos: 2
+            int contentLen = getInt16(packet);                 // pos: 3, 4
+
+            System.err.printf(
+                "Flight %d: contentType: %d; majorVersion: %d; "
+                + "minorVersion: %d; contentLen: %d\n", i, (int) contentType,
+                (int) majorVersion, (int) minorVersion, contentLen);
+
+            packet.position(packet.position() + contentLen);
+        }
+    }
+
+    public static int getInt16(ByteBuffer m) throws IOException {
+        return ((m.get() & 0xFF) << 8) | (m.get() & 0xFF);
+    }
+
     private SecurityUtils() {}
 }