Google Git
Sign in
gerrit / gerrit / d1e2c2f2c848a042854d38bd0f3c2ec323f47a6b^! / .
commitd1e2c2f2c848a042854d38bd0f3c2ec323f47a6b[log] [tgz]
authorEdwin Kempin <ekempin@google.com>Sun Mar 13 10:24:17 2016 +0100
committerSteffen Gebert <steffen@steffen-gebert.de>Sun Mar 13 15:42:32 2016 +0000
tree79221ba28d0603d2e1ce5a3613efe51716a40917
parentf4106227e4fe4d494bb6ec43c5410f0d2f8fb150 [diff]
Fix SSL security issue in the SMTP email relay code

The hostname of the SSL socket was not verified. This made the read
from the socket insecure since without verifying the hostname it may
be vulnerable to a man-in-the-middle attack as described in [1].

This issue was reported by Sam Blackshear and Jules Villard from the
Infer static analysis team at Facebook and it was detected by running
Infer [2] on the Gerrit code base.

As described in [3] Java 7 has a mechanism to verify the identity of
the certificate directly as part of the SSLSocket/SSLEngine API, and
with this change we make use of it to verify the hostname.

I discussed this with Shawn and we decided to develop this fix in open
source since the issue is in a non-critical part of Gerrit.

[1] https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
[2] http://fbinfer.com/
[3] http://stackoverflow.com/questions/17972658/sslsocket-ignores-domain-mismatch/17979954#17979954

Change-Id: I0a06c8e4791a5cd3fa776d4a8250b889678b3c32
Signed-off-by: Edwin Kempin <ekempin@google.com>

diff --git a/gerrit-patch-commonsnet/src/main/java/org/apache/commons/net/smtp/AuthSMTPClient.java b/gerrit-patch-commonsnet/src/main/java/org/apache/commons/net/smtp/AuthSMTPClient.java
index c5a9d0c..ece982d 100644
--- a/gerrit-patch-commonsnet/src/main/java/org/apache/commons/net/smtp/AuthSMTPClient.java
+++ b/gerrit-patch-commonsnet/src/main/java/org/apache/commons/net/smtp/AuthSMTPClient.java

@@ -34,6 +34,8 @@
 
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
 
 public class AuthSMTPClient extends SMTPClient {
@@ -55,6 +57,10 @@
 
     _socket_ = sslFactory(verify).createSocket(_socket_, hostname, port, true);
 
+    SSLParameters sslParams = new SSLParameters();
+    sslParams.setEndpointIdentificationAlgorithm("HTTPS");
+    ((SSLSocket)_socket_).setSSLParameters(sslParams);
+
     // XXX: Can't call _connectAction_() because SMTP server doesn't
     // give banner information again after STARTTLS, thus SMTP._connectAction_()
     // will wait on __getReply() forever, see source code of commons-net-2.2.