From 8db7ed98eabd09be95906db2afd2c432ac08a055 Mon Sep 17 00:00:00 2001
From: Xue-Lei Andrew Fan <xuelei@openjdk.org>
Date: Thu, 13 Nov 2008 23:08:11 -0800
Subject: [PATCH] 6728126: Parsing Extensions in Client Hello message is done
 in a wrong way

The inputStream.read(byte[], int, 0) is not always return zero.

Reviewed-by: wetmore, weijun
---
 .../sun/security/ssl/HelloExtensions.java     |   7 +-
 .../ssl/SSLEngineImpl/EmptyExtensionData.java | 196 ++++++++++++++++++
 2 files changed, 201 insertions(+), 2 deletions(-)
 create mode 100644 jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/EmptyExtensionData.java

diff --git a/jdk/src/share/classes/sun/security/ssl/HelloExtensions.java b/jdk/src/share/classes/sun/security/ssl/HelloExtensions.java
index 51080b59e47..2a21489b2a6 100644
--- a/jdk/src/share/classes/sun/security/ssl/HelloExtensions.java
+++ b/jdk/src/share/classes/sun/security/ssl/HelloExtensions.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2006-2008 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -218,7 +218,10 @@ final class UnknownExtension extends HelloExtension {
             throws IOException {
         super(type);
         data = new byte[len];
-        s.read(data);
+        // s.read() does not handle 0-length arrays.
+        if (len != 0) {
+            s.read(data);
+        }
     }
 
     int length() {
diff --git a/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/EmptyExtensionData.java b/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/EmptyExtensionData.java
new file mode 100644
index 00000000000..3d86cc90e9d
--- /dev/null
+++ b/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLEngineImpl/EmptyExtensionData.java
@@ -0,0 +1,196 @@
+/*
+ * Copyright 2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/*
+ * @test
+ * @bug 6728126
+ * @summary Parsing Extensions in Client Hello message is done in a wrong way
+ */
+
+import javax.net.ssl.*;
+import javax.net.ssl.SSLEngineResult.*;
+import java.io.*;
+import java.security.*;
+import java.nio.*;
+
+public class EmptyExtensionData {
+
+    private static boolean debug = false;
+
+    private static String pathToStores = "../../../../../../../etc";
+    private static String keyStoreFile = "keystore";
+    private static String trustStoreFile = "truststore";
+    private static String passwd = "passphrase";
+
+    private static String keyFilename =
+            System.getProperty("test.src", "./") + "/" + pathToStores +
+                "/" + keyStoreFile;
+    private static String trustFilename =
+            System.getProperty("test.src", "./") + "/" + pathToStores +
+                "/" + trustStoreFile;
+
+    private static void checkDone(SSLEngine ssle) throws Exception {
+        if (!ssle.isInboundDone()) {
+            throw new Exception("isInboundDone isn't done");
+        }
+        if (!ssle.isOutboundDone()) {
+            throw new Exception("isOutboundDone isn't done");
+        }
+    }
+
+    private static void runTest(SSLEngine ssle) throws Exception {
+        // a client hello message with an empty extension data
+        byte[] msg_clihello = {
+                (byte)0x16, (byte)0x03, (byte)0x01, (byte)0x00,
+                (byte)0x6f, (byte)0x01, (byte)0x00, (byte)0x00,
+                (byte)0x6b, (byte)0x03, (byte)0x01, (byte)0x48,
+                (byte)0x90, (byte)0x71, (byte)0xfc, (byte)0xf9,
+                (byte)0xa2, (byte)0x3a, (byte)0xd7, (byte)0xa8,
+                (byte)0x0b, (byte)0x25, (byte)0xf1, (byte)0x2b,
+                (byte)0x88, (byte)0x80, (byte)0x66, (byte)0xca,
+                (byte)0x07, (byte)0x78, (byte)0x2a, (byte)0x08,
+                (byte)0x9d, (byte)0x62, (byte)0x1d, (byte)0x89,
+                (byte)0xc9, (byte)0x1e, (byte)0x1f, (byte)0xe5,
+                (byte)0x92, (byte)0xfe, (byte)0x8d, (byte)0x00,
+                (byte)0x00, (byte)0x24, (byte)0x00, (byte)0x88,
+                (byte)0x00, (byte)0x87, (byte)0x00, (byte)0x39,
+                (byte)0x00, (byte)0x38, (byte)0x00, (byte)0x84,
+                (byte)0x00, (byte)0x35, (byte)0x00, (byte)0x45,
+                (byte)0x00, (byte)0x44, (byte)0x00, (byte)0x33,
+                (byte)0x00, (byte)0x32, (byte)0x00, (byte)0x41,
+                (byte)0x00, (byte)0x04, (byte)0x00, (byte)0x05,
+                (byte)0x00, (byte)0x2f, (byte)0x00, (byte)0x16,
+                (byte)0x00, (byte)0x13, (byte)0xfe, (byte)0xff,
+                (byte)0x00, (byte)0x0a, (byte)0x01, (byte)0x00,
+                (byte)0x00, (byte)0x1e, (byte)0x00, (byte)0x00,
+                (byte)0x00, (byte)0x16, (byte)0x00, (byte)0x14,
+                (byte)0x00, (byte)0x00, (byte)0x11, (byte)0x6a,
+                (byte)0x75, (byte)0x73, (byte)0x74, (byte)0x69,
+                (byte)0x6e, (byte)0x2e, (byte)0x75, (byte)0x6b,
+                (byte)0x2e, (byte)0x73, (byte)0x75, (byte)0x6e,
+                (byte)0x2e, (byte)0x63, (byte)0x6f, (byte)0x6d,
+                (byte)0x00, (byte)0x23, (byte)0x00, (byte)0x00
+            };
+        ByteBuffer bf_clihello = ByteBuffer.wrap(msg_clihello);
+
+        SSLSession session = ssle.getSession();
+        int appBufferMax = session.getApplicationBufferSize();
+        int netBufferMax = session.getPacketBufferSize();
+
+        ByteBuffer serverIn = ByteBuffer.allocate(appBufferMax + 50);
+        ByteBuffer serverOut = ByteBuffer.wrap("I'm Server".getBytes());
+        ByteBuffer sTOc = ByteBuffer.allocate(netBufferMax);
+
+        ssle.beginHandshake();
+
+        // unwrap the clientHello message.
+        SSLEngineResult result = ssle.unwrap(bf_clihello, serverIn);
+        System.out.println("server unwrap " + result);
+        runDelegatedTasks(result, ssle);
+
+        // one more step, ensure the clientHello message is parsed.
+        SSLEngineResult.HandshakeStatus status = ssle.getHandshakeStatus();
+        if ( status == HandshakeStatus.NEED_UNWRAP) {
+            result = ssle.unwrap(bf_clihello, serverIn);
+            System.out.println("server unwrap " + result);
+            runDelegatedTasks(result, ssle);
+        } else if ( status == HandshakeStatus.NEED_WRAP) {
+            result = ssle.wrap(serverOut, sTOc);
+            System.out.println("server wrap " + result);
+            runDelegatedTasks(result, ssle);
+        } else {
+            throw new Exception("unexpected handshake status " + status);
+        }
+
+        // enough, stop
+    }
+
+    /*
+     * If the result indicates that we have outstanding tasks to do,
+     * go ahead and run them in this thread.
+     */
+    private static void runDelegatedTasks(SSLEngineResult result,
+            SSLEngine engine) throws Exception {
+
+        if (result.getHandshakeStatus() == HandshakeStatus.NEED_TASK) {
+            Runnable runnable;
+            while ((runnable = engine.getDelegatedTask()) != null) {
+                log("\trunning delegated task...");
+                runnable.run();
+            }
+            HandshakeStatus hsStatus = engine.getHandshakeStatus();
+            if (hsStatus == HandshakeStatus.NEED_TASK) {
+                throw new Exception(
+                    "handshake shouldn't need additional tasks");
+            }
+            log("\tnew HandshakeStatus: " + hsStatus);
+        }
+    }
+
+    public static void main(String args[]) throws Exception {
+
+        SSLEngine ssle = createSSLEngine(keyFilename, trustFilename);
+        runTest(ssle);
+
+        System.out.println("Test Passed.");
+    }
+
+    /*
+     * Create an initialized SSLContext to use for this test.
+     */
+    static private SSLEngine createSSLEngine(String keyFile, String trustFile)
+            throws Exception {
+
+        SSLEngine ssle;
+
+        KeyStore ks = KeyStore.getInstance("JKS");
+        KeyStore ts = KeyStore.getInstance("JKS");
+
+        char[] passphrase = "passphrase".toCharArray();
+
+        ks.load(new FileInputStream(keyFile), passphrase);
+        ts.load(new FileInputStream(trustFile), passphrase);
+
+        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
+        kmf.init(ks, passphrase);
+
+        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
+        tmf.init(ts);
+
+        SSLContext sslCtx = SSLContext.getInstance("TLS");
+
+        sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
+
+        ssle = sslCtx.createSSLEngine();
+        ssle.setUseClientMode(false);
+
+        return ssle;
+    }
+
+
+    private static void log(String str) {
+        if (debug) {
+            System.out.println(str);
+        }
+    }
+}