[
https://issues.apache.org/jira/browse/NIFI-11680?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17732133#comment-17732133
]
ASF subversion and git services commented on NIFI-11680:
--------------------------------------------------------
Commit 65436cb829472f1d2e9f4cb84ab87cf807c33825 in nifi's branch
refs/heads/support/nifi-1.x from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=65436cb829 ]
NIFI-11680 Corrected Buffer Size Calculation for Connection Balancing (#7370)
- Resolved BufferOverflowException in PeerChannel with Bouncy Castle Provider
- Changed prepareForWrite() to use Destination Buffer remaining instead of
Application Buffer Size
- Changed encrypt() to Packet Buffer Size instead of Application Buffer Size
> Buffer Overflow with Connection Load Balancing and Bouncy Castle TLS
> --------------------------------------------------------------------
>
> Key: NIFI-11680
> URL: https://issues.apache.org/jira/browse/NIFI-11680
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 1.22.0
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Major
> Fix For: 1.latest, 2.latest
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Cluster Connection Load Balancing is susceptible to a
> {{BufferOverflowException}} when the Java Virtual Machine is configured with
> an alternative Security Provider for TLS, such as the Bouncy Castle Security
> Provider.
> The standard JDK [SSLSession
> implementation|https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java#L1394]
> provides {{getPacketBufferSize()}} and {{getApplicationBufferSize()}}
> methods to support runtime determination of required buffer sizes for
> encrypted and decrypted records. The standard implementation calculates
> specific sizes based on TLS protocol version.
> The Bouncy Castle [SSLSession
> implementation|https://github.com/bcgit/bc-java/blob/master/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionBase.java#L99]
> uses a hard-coded value of 16384 for the Application Buffer Size and uses a
> [worst-case scenario
> calculation|https://github.com/bcgit/bc-java/blob/master/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSessionBase.java#L150]
> for the Packet Buffer Size.
> When running with the Bouncy Castle implementation, the NiFi {{PeerChannel}}
> can produce encrypted packets that exceed the prepared buffer size, resulting
> in a {{BufferOverflowException}}.
> Instead of using the {{SSLSession}} Application Buffer Size to expand the
> encrypted prepared buffer, the {{PeerChannel}} method should adjust the
> prepared buffer based on size of the current destination buffer. This
> approach should ensure correct behavior regardless of the TLS Security
> Provider implementation.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
