farahaniali commented on PR #527:
URL:
https://github.com/apache/httpcomponents-core/pull/527#issuecomment-2962297354
@ok2c and @garydgregory do not disagree with the fact that this is the
simplest and arbitrary looking solution. Open to suggestion so I can
incorporate any available mechanism to have a safety net in place.
One suggestion would be to have cleaner and more aggressive safety net at
the end of the try block:
```
private void decryptData(final IOSession protocolSession) throws IOException
{
final HandshakeStatus handshakeStatus =
sslEngine.getHandshakeStatus();
if ((handshakeStatus == HandshakeStatus.NOT_HANDSHAKING ||
handshakeStatus == HandshakeStatus.FINISHED)
&& inEncrypted.hasData()) {
final ByteBuffer inEncryptedBuf = inEncrypted.acquire();
inEncryptedBuf.flip();
try {
while (inEncryptedBuf.hasRemaining()) {
final ByteBuffer inPlainBuf = inPlain.acquire();
try {
final SSLEngineResult result =
doUnwrap(inEncryptedBuf, inPlainBuf);
if (!inEncryptedBuf.hasRemaining() &&
result.getHandshakeStatus() == HandshakeStatus.NEED_UNWRAP) {
throw new SSLException("Unable to complete SSL
handshake");
}
if (sslEngine.isInboundDone()) {
endOfStream = true;
}
if (inPlainBuf.position() > 0) {
inPlainBuf.flip();
try {
ensureHandler().inputReady(protocolSession,
inPlainBuf.hasRemaining() ? inPlainBuf : null);
} finally {
inPlainBuf.clear();
}
}
if (result.getStatus() != SSLEngineResult.Status.OK)
{
if (result.getStatus() ==
SSLEngineResult.Status.BUFFER_UNDERFLOW && endOfStream) {
throw new SSLException("Unable to decrypt
incoming data due to unexpected end of stream");
}
break;
}
if (result.bytesConsumed() == 0) {
throw new SSLException(String.format("Unable to
decrypt incoming data due to unproductive cycle. Position on the buffer %s and
the limit is %s with handshake status of %s and EndOfStream flag as %s",
inEncryptedBuf.position(), inEncryptedBuf.limit(), result.getHandshakeStatus(),
endOfStream));
}
} finally {
inPlain.release();
}
}
} finally {
inEncryptedBuf.compact();
// Release inEncrypted if empty
if (inEncryptedBuf.position() == 0) {
inEncrypted.release();
}
}
}
if (endOfStream && !inEncrypted.hasData()) {
ensureHandler().inputReady(protocolSession, null);
}
}
```
which has the following piece of code in place that would throw an
SSLException right away if it finds out we got OK status but not progressed on
the input encrypted buffer.
```
if (result.bytesConsumed() == 0) {
throw new SSLException(....
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
