search

jglobus / JGlobus

jGlobus is a collection of Java client libraries for Globus® Toolkit security, GRAM, and GridFTP.
http://www.globus.org/toolkit/jglobus/
Apache License 2.0
24 stars 44 forks source link

validate ssl record length #49

Closed kofemann closed 11 years ago

kofemann commented 11 years ago

in some cases we get proxy certificates which produces too big SSL records resulting to:

java.lang.NegativeArraySizeException: null at org.globus.gsi.gssapi.net.impl.GSIGssInputStream.readToken(GSIGssInputStream.java:79) ~[cog-jglobus-1.8.0-1.jar:na] at org.globus.gsi.gssapi.net.impl.GSIGssInputStream.readHandshakeToken(GSIGssInputStream.java:59) ~[cog-jglobus-1.8.0-1.jar:na] at org.globus.gsi.gssapi.net.impl.GSIGssSocket.readToken(GSIGssSocket.java:65) ~[cog-jglobus-1.8.0-1.jar:na] at org.globus.gsi.gssapi.net.GssSocket.authenticateServer(GssSocket.java:127) ~[cog-jglobus-1.8.0-1.jar:na] at org.globus.gsi.gssapi.net.GssSocket.startHandshake(GssSocket.java:147) ~[cog-jglobus-1.8.0-1.jar:na]

While problem observed with jglobus-1.8 it still exist in 2.0. This simple fix validated record size and throws IOException allowed size is excided.

bbockelm commented 11 years ago

Hi Tigran,

If we can accept non-standard packets, isn't it preferable to do that than break clients?

I'll give your script a whirl and see if we can actually accept the erroneous clients. If other parts break, then we can just merge the pull as-is.

Brian

kofemann commented 11 years ago

Ok, I have updated patch to accept bigger proxies. Passed my tests with jumbo proxies. I guess this is not SSLv3 spec compliant, but OK for us.

bbockelm commented 11 years ago

Thank you very much! Pulling this right now; it should appear in the upcoming JGlobus 2.0.5.