From d86f03e1b570d6fffbf6eb2875ad8b1bd4486be1 Mon Sep 17 00:00:00 2001 From: emmanuel lecharny Date: Mon, 25 Jul 2022 13:59:04 +0200 Subject: [PATCH] Migrated to MINA 2.2.1 --- pom.xml | 6 ++- .../server/ldap/LdapProtocolHandler.java | 1 + .../handlers/extended/StartTlsFilter.java | 39 +++++++++++++++++++ .../handlers/extended/StartTlsHandler.java | 12 ++---- .../certificate/ExternalSaslServer.java | 15 +++---- .../directory/server/ssl/KeyStoreIT.java | 4 +- 6 files changed, 56 insertions(+), 21 deletions(-) create mode 100644 protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/extended/StartTlsFilter.java --- a/pom.xml +++ b/pom.xml @@ -289,7 +289,9 @@ org.apache.maven.plugins maven-surefire-report-plugin - -Xmx1024m -XX:MaxPermSize=512m + 1 + false + -Xmx4096m -XX:MaxPermSize=512m true 3600 --- a/protocol-ldap/src/main/java/org/apache/directory/server/ldap/LdapProtocolHandler.java +++ b/protocol-ldap/src/main/java/org/apache/directory/server/ldap/LdapProtocolHandler.java @@ -32,6 +32,7 @@ import org.apache.directory.api.ldap.model.message.ResultResponseRequest; import org.apache.directory.api.ldap.model.message.extended.NoticeOfDisconnect; import org.apache.mina.core.buffer.IoBuffer; +import org.apache.mina.core.service.IoHandler; import org.apache.mina.core.session.IoSession; import org.apache.mina.filter.FilterEvent; import org.apache.mina.filter.ssl.SslEvent; --- /dev/null +++ b/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/extended/StartTlsFilter.java @@ -0,0 +1,39 @@ +package org.apache.directory.server.ldap.handlers.extended; + +import org.apache.directory.api.ldap.extras.extended.startTls.StartTlsResponse; +import org.apache.mina.core.filterchain.IoFilter; +import org.apache.mina.core.filterchain.IoFilterAdapter; +import org.apache.mina.core.filterchain.IoFilterChain; +import org.apache.mina.core.session.IoSession; +import org.apache.mina.core.write.WriteRequest; +import org.apache.mina.filter.ssl.SslFilter; + +public class StartTlsFilter extends IoFilterAdapter +{ + /** + * {@inheritDoc} + */ + @Override + public void filterWrite( NextFilter nextFilter, IoSession session, WriteRequest writeRequest ) throws Exception + { + if ( writeRequest.getOriginalMessage() instanceof StartTlsResponse ) + { + // We need to bypass the SslFilter + IoFilterChain chain = session.getFilterChain(); + + for ( IoFilterChain.Entry entry : chain.getAll() ) + { + IoFilter filter = entry.getFilter(); + + if ( filter instanceof SslFilter ) + { + entry.getNextFilter().filterWrite( session, writeRequest ); + } + } + } + else + { + nextFilter.filterWrite( session, writeRequest ); + } + } +} --- a/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/extended/StartTlsHandler.java +++ b/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/extended/StartTlsHandler.java @@ -99,7 +99,7 @@ if ( sslFilter == null ) { - sslFilter = new SslFilter( sslContext, false ); + sslFilter = new SslFilter( sslContext ); // Set the cipher suite if ( ( cipherSuite != null ) && !cipherSuite.isEmpty() ) @@ -122,15 +122,10 @@ sslFilter.setNeedClientAuth( needClientAuth ); sslFilter.setWantClientAuth( wantClientAuth ); + StartTlsFilter startTlsFilter = new StartTlsFilter(); + chain.addFirst( "startTls", startTlsFilter ); chain.addFirst( "sslFilter", sslFilter ); } - else - { - // Be sure we disable SSLV3 - sslFilter.setEnabledProtocols( new String[] - { "TLSv1", "TLSv1.1", "TLSv1.2" } ); - sslFilter.startSsl( session.getIoSession() ); - } StartTlsResponse res = new StartTlsResponseImpl( req.getMessageId() ); LdapResult result = res.getLdapResult(); @@ -138,7 +133,6 @@ res.setResponseName( EXTENSION_OID ); // Send a response. - session.getIoSession().setAttribute( SslFilter.DISABLE_ENCRYPTION_ONCE ); session.getIoSession().write( res ); } --- a/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/sasl/external/certificate/ExternalSaslServer.java +++ b/protocol-ldap/src/main/java/org/apache/directory/server/ldap/handlers/sasl/external/certificate/ExternalSaslServer.java @@ -20,6 +20,12 @@ package org.apache.directory.server.ldap.handlers.sasl.external.certificate; +import java.security.cert.Certificate; + +import javax.naming.Context; +import javax.net.ssl.SSLSession; +import javax.security.sasl.SaslException; + import org.apache.commons.lang3.exception.ExceptionUtils; import org.apache.directory.api.ldap.model.constants.AuthenticationLevel; import org.apache.directory.api.ldap.model.constants.SchemaConstants; @@ -45,11 +51,6 @@ import org.apache.directory.server.ldap.handlers.sasl.SaslConstants; import org.apache.mina.filter.ssl.SslFilter; -import javax.naming.Context; -import javax.net.ssl.SSLSession; -import javax.security.sasl.SaslException; -import java.security.cert.Certificate; - /** * A SaslServer implementation for certificate based SASL EXTERNAL mechanism. @@ -101,7 +102,7 @@ { try { - SSLSession sslSession = ( SSLSession ) getLdapSession().getIoSession().getAttribute( SslFilter.SSL_SESSION ); + SSLSession sslSession = ( SSLSession ) getLdapSession().getIoSession().getAttribute( SslFilter.SSL_SECURED ); Certificate[] peerCertificates = sslSession.getPeerCertificates(); if ( null == peerCertificates || 1 > peerCertificates.length ) @@ -181,4 +182,4 @@ throw new LdapAuthenticationException( "Cannot authenticate user cert=" + peerCertificate ); } } -} \ No newline at end of file +} --- a/server-integ/src/test/java/org/apache/directory/server/ssl/KeyStoreIT.java +++ b/server-integ/src/test/java/org/apache/directory/server/ssl/KeyStoreIT.java @@ -176,8 +176,7 @@ { LdapConnectionConfig config = ldapsConnectionConfig(); - try ( - LdapNetworkConnection conn = new LdapNetworkConnection( config ); ) + try ( LdapNetworkConnection conn = new LdapNetworkConnection( config ); ) { try { @@ -186,7 +185,6 @@ } catch ( LdapException e ) { - //e.printStackTrace(); assertTrue( e.getMessage().contains( "ERR_04120_TLS_HANDSHAKE_ERROR The TLS handshake failed" ) ); } assertFalse( conn.isConnected() );