Add protocol host name and SNI host name matching

Add strictSNI attribute on the Connector to control it.

Author: rmaucher

java/org/apache/coyote/AbstractProtocol.java

@@ -490,6 +490,10 @@ public int getWaitingProcessorCount() {
     }
 
 
+    public boolean checkSni(String sniHostName, String protocolHostName) {
+        return getEndpoint().checkSni(sniHostName, protocolHostName);
+    }
+
     // ----------------------------------------------- Accessors for sub-classes
 
     protected AbstractEndpoint<S,?> getEndpoint() {

java/org/apache/coyote/http11/Http11Processor.java

@@ -791,6 +791,11 @@ private void prepareRequest() throws IOException {
         // Validate host name and extract port if present
         parseHost(hostValueMB);
 
+        // Match host name with SNI if required
+        if (!protocol.checkSni(socketWrapper.getSniHostName(), request.serverName().toString())) {
+            badRequest("http11processor.request.sni");
+        }
+
         if (!getErrorState().isIoAllowed()) {
             getAdapter().log(request, response, 0);
         }

java/org/apache/coyote/http11/LocalStrings.properties

@@ -39,6 +39,7 @@ http11processor.request.noHostHeader=The HTTP/1.1 request did not provide a host
 http11processor.request.nonNumericContentLength=The request contained a content-length header with a non-numeric value
 http11processor.request.prepare=Error preparing request
 http11processor.request.process=Error processing request
+http11processor.request.sni=The host header does not match the SNI host
 http11processor.request.unsupportedEncoding=Error preparing request, unsupported transfer encoding [{0}]
 http11processor.request.unsupportedVersion=Error preparing request, unsupported HTTP version [{0}]
 http11processor.response.finish=Error finishing response

java/org/apache/coyote/http2/Http2UpgradeHandler.java

@@ -1931,6 +1931,10 @@ void replaceStream(AbstractNonZeroStream original, AbstractNonZeroStream replace
     }
 
 
+    String getSniHostName() {
+        return socketWrapper.getSniHostName();
+    }
+
     protected class PingManager {
 
         protected boolean initiateDisabled = false;

java/org/apache/coyote/http2/LocalStrings.properties

@@ -104,6 +104,7 @@ stream.header.te=Connection [{0}], Stream [{1}], HTTP header [te] is not permitt
 stream.header.unexpectedPseudoHeader=Connection [{0}], Stream [{1}], Pseudo header [{2}] received after a regular header
 stream.header.unknownPseudoHeader=Connection [{0}], Stream [{1}], Unknown pseudo header [{2}] received
 stream.host.inconsistent=Connection [{0}], Stream [{1}], The header host header [{2}] is inconsistent with previously provided values for host [{3}] and/or port [{4}]
+stream.host.sni=Connection [{0}], Stream [{1}], The host header [{2}] does not match the SNI host [{3}]
 stream.inputBuffer.copy=Copying [{0}] bytes from inBuffer to outBuffer
 stream.inputBuffer.dispatch=Data added to inBuffer when read interest is registered. Triggering a read dispatch
 stream.inputBuffer.empty=The Stream input buffer is empty. Waiting for more data

java/org/apache/coyote/http2/Stream.java

@@ -509,6 +509,11 @@ private void parseAuthority(String value, boolean host) throws HpackException {
         } else {
             coyoteRequest.serverName().setString(value);
         }
+        // Match host name with SNI if required
+        if (!handler.getProtocol().getHttp11Protocol().checkSni(handler.getSniHostName(), coyoteRequest.serverName().getString())) {
+            throw new HpackException(sm.getString("stream.host.sni", getConnectionId(), getIdAsString(), value,
+                    handler.getSniHostName()));
+        }
     }
 
 

java/org/apache/tomcat/util/net/AbstractEndpoint.java

@@ -232,6 +232,17 @@ public Set<SocketWrapperBase<S>> getConnections() {
 
     // ----------------------------------------------------------------- Properties
 
+    private boolean strictSni = true;
+
+    public boolean getStrictSni() {
+        return strictSni;
+    }
+
+    public void setStrictSni(boolean strictSni) {
+        this.strictSni = strictSni;
+    }
+
+
     private String defaultSSLHostConfigName = SSLHostConfig.DEFAULT_SSL_HOST_NAME;
 
     /**
@@ -525,6 +536,22 @@ protected SSLHostConfig getSSLHostConfig(String sniHostName) {
     }
 
 
+    /**
+     * Check if two host names share the same SSLHostConfig.
+     *
+     * @param sniHostName the host name from SNI, null if SNI is not in use
+     * @param protocolHostName the host name from the protocol
+     * @return true if SNI is not checked, if the SNI host name matches the protocol host name,
+     *    if both host names use the same SSLHostConfig configuration, if there is no SNI and the
+     *    protocol host name uses the default SSLHostConfig configuration, and false otherwise
+     */
+    public boolean checkSni(String sniHostName, String protocolHostName) {
+        return (!strictSni || !isSSLEnabled()
+                || (sniHostName != null && sniHostName.equalsIgnoreCase(protocolHostName))
+                || getSSLHostConfig(sniHostName) == getSSLHostConfig(protocolHostName));
+    }
+
+
     /**
      * Has the user requested that send file be used where possible?
      */

java/org/apache/tomcat/util/net/SecureNioChannel.java

@@ -281,6 +281,7 @@ private int processSNI() throws IOException {
         switch (extractor.getResult()) {
             case COMPLETE:
                 hostName = extractor.getSNIValue();
+                socketWrapper.setSniHostName(hostName);
                 clientRequestedApplicationProtocols = extractor.getClientRequestedApplicationProtocols();
                 //$FALL-THROUGH$ to set the client requested ciphers
             case NOT_PRESENT:

java/org/apache/tomcat/util/net/SocketWrapperBase.java

@@ -72,6 +72,8 @@ public abstract class SocketWrapperBase<E> {
     protected String remoteHost = null;
     protected int remotePort = -1;
 
+    protected String sniHostName = null;
+
     /**
      * Used to record the first IOException that occurs during non-blocking read/writes that can't be usefully
      * propagated up the stack since there is no user code or appropriate container code in the stack to handle it.
@@ -234,6 +236,20 @@ public void setNegotiatedProtocol(String negotiatedProtocol) {
         this.negotiatedProtocol = negotiatedProtocol;
     }
 
+    /**
+     * @return the sniHostName
+     */
+    public String getSniHostName() {
+        return this.sniHostName;
+    }
+
+    /**
+     * @param sniHostName the SNI host name to set
+     */
+    public void setSniHostName(String sniHostName) {
+        this.sniHostName = sniHostName;
+    }
+
     /**
      * Set the timeout for reading. Values of zero or less will be changed to -1.
      *

test/org/apache/catalina/startup/SimpleHttpClient.java

@@ -197,19 +197,29 @@ public String getRedirectUri() {
         return redirectUri;
     }
 
-    public void connect(int connectTimeout, int soTimeout)
-           throws UnknownHostException, IOException {
+    public void connect(Socket socket, int connectTimeout, int soTimeout, boolean connect) throws UnknownHostException, IOException {
         final String encoding = "ISO-8859-1";
         SocketAddress addr = new InetSocketAddress("localhost", port);
-        socket = new Socket();
+        this.socket = socket;
         socket.setSoTimeout(soTimeout);
-        socket.connect(addr,connectTimeout);
+        if (connect) {
+            socket.connect(addr, connectTimeout);
+        }
         OutputStream os = createOutputStream(socket);
         writer = new OutputStreamWriter(os, encoding);
         InputStream is = socket.getInputStream();
         Reader r = new InputStreamReader(is, encoding);
         reader = new BufferedReader(r);
     }
+
+    public void connect(int connectTimeout, int soTimeout) throws UnknownHostException, IOException {
+        connect(new Socket(), 10000, 10000, true);
+    }
+
+    public void connect(Socket socket) throws UnknownHostException, IOException {
+        connect(socket, 10000, 10000, false);
+    }
+
     public void connect() throws UnknownHostException, IOException {
         connect(10000, 10000);
     }