Add protocol host name and SNI host name matching

Add strictSNI attribute on the Connector to control it.

Author: rmaucher

java/org/apache/coyote/http11/AbstractHttp11Protocol.java

@@ -759,6 +759,10 @@ public void setSniParseLimit(int sniParseLimit) {
     }
 
 
+    public boolean checkSni(String sniHostName, String protocolHostName) {
+        return getEndpoint().checkSni(sniHostName, protocolHostName);
+    }
+
     // ------------------------------------------------------------- Common code
 
     @Override

java/org/apache/coyote/http11/Http11Processor.java

@@ -780,6 +780,11 @@ private void prepareRequest() throws IOException {
         // Validate host name and extract port if present
         parseHost(hostValueMB);
 
+        // Match host name with SNI if required
+        if (!protocol.checkSni(socketWrapper.getSniHostName(), request.serverName().toString())) {
+            badRequest("http11processor.request.sni");
+        }
+
         if (!getErrorState().isIoAllowed()) {
             getAdapter().log(request, response, 0);
         }

java/org/apache/coyote/http11/LocalStrings.properties

@@ -39,6 +39,7 @@ http11processor.request.noHostHeader=The HTTP/1.1 request did not provide a host
 http11processor.request.nonNumericContentLength=The request contained a content-length header with a non-numeric value
 http11processor.request.prepare=Error preparing request
 http11processor.request.process=Error processing request
+http11processor.request.sni=The host header does not match the SNI host
 http11processor.request.unsupportedEncoding=Error preparing request, unsupported transfer encoding [{0}]
 http11processor.request.unsupportedVersion=Error preparing request, unsupported HTTP version [{0}]
 http11processor.response.finish=Error finishing response

java/org/apache/coyote/http2/Http2UpgradeHandler.java

@@ -1859,6 +1859,10 @@ public ServletConnection getServletConnection() {
         }
     }
 
+    String getSniHostName() {
+        return socketWrapper.getSniHostName();
+    }
+
     protected class PingManager {
 
         protected boolean initiateDisabled = false;

java/org/apache/coyote/http2/LocalStrings.properties

@@ -105,6 +105,7 @@ stream.header.te=Connection [{0}], Stream [{1}], HTTP header [te] is not permitt
 stream.header.unexpectedPseudoHeader=Connection [{0}], Stream [{1}], Pseudo header [{2}] received after a regular header
 stream.header.unknownPseudoHeader=Connection [{0}], Stream [{1}], Unknown pseudo header [{2}] received
 stream.host.inconsistent=Connection [{0}], Stream [{1}], The header host header [{2}] is inconsistent with previously provided values for host [{3}] and/or port [{4}]
+stream.host.sni=Connection [{0}], Stream [{1}], The host header [{2}] does not match the SNI host [{3}]
 stream.inputBuffer.copy=Copying [{0}] bytes from inBuffer to outBuffer
 stream.inputBuffer.dispatch=Data added to inBuffer when read interest is registered. Triggering a read dispatch
 stream.inputBuffer.empty=The Stream input buffer is empty. Waiting for more data

java/org/apache/coyote/http2/Stream.java

@@ -505,6 +505,11 @@ private void parseAuthority(String value, boolean host) throws HpackException {
         } else {
             coyoteRequest.serverName().setString(value);
         }
+        // Match host name with SNI if required
+        if (!handler.getProtocol().getHttp11Protocol().checkSni(handler.getSniHostName(), coyoteRequest.serverName().getString())) {
+            throw new HpackException(sm.getString("stream.host.sni", getConnectionId(), getIdAsString(), value,
+                    handler.getSniHostName()));
+        }
     }
 
 

java/org/apache/tomcat/util/net/AbstractEndpoint.java

@@ -257,6 +257,17 @@ public void setSniParseLimit(int sniParseLimit) {
     }
 
 
+    private boolean strictSni = true;
+
+    public boolean getStrictSni() {
+        return strictSni;
+    }
+
+    public void setStrictSni(boolean strictSni) {
+        this.strictSni = strictSni;
+    }
+
+
     private String defaultSSLHostConfigName = SSLHostConfig.DEFAULT_SSL_HOST_NAME;
 
     /**
@@ -714,6 +725,22 @@ protected SSLHostConfig getSSLHostConfig(String sniHostName) {
     }
 
 
+    /**
+     * Check if two host names share the same SSLHostConfig.
+     *
+     * @param sniHostName the host name from SNI, null if SNI is not in use
+     * @param protocolHostName the host name from the protocol
+     * @return true if SNI is not checked, if the SNI host name matches the protocol host name,
+     *    if both host names use the same SSLHostConfig configuration, if there is no SNI and the
+     *    protocol host name uses the default SSLHostConfig configuration, and false otherwise
+     */
+    public boolean checkSni(String sniHostName, String protocolHostName) {
+        return (!strictSni || !isSSLEnabled()
+                || (sniHostName != null && sniHostName.equalsIgnoreCase(protocolHostName))
+                || getSSLHostConfig(sniHostName) == getSSLHostConfig(protocolHostName));
+    }
+
+
     /**
      * Has the user requested that send file be used where possible?
      */

java/org/apache/tomcat/util/net/SecureNioChannel.java

@@ -279,6 +279,7 @@ protected int processSNI() throws IOException {
         switch (extractor.getResult()) {
             case COMPLETE:
                 hostName = extractor.getSNIValue();
+                socketWrapper.setSniHostName(hostName);
                 clientRequestedApplicationProtocols = extractor.getClientRequestedApplicationProtocols();
                 //$FALL-THROUGH$ to set the client requested ciphers
             case NOT_PRESENT:

java/org/apache/tomcat/util/net/SocketWrapperBase.java

@@ -85,6 +85,8 @@ public abstract class SocketWrapperBase<E> {
     protected int remotePort = -1;
     protected volatile ServletConnection servletConnection = null;
 
+    protected String sniHostName = null;
+
     /**
      * Used to record the first IOException that occurs during non-blocking read/writes that can't be usefully
      * propagated up the stack since there is no user code or appropriate container code in the stack to handle it.
@@ -208,6 +210,20 @@ public void setNegotiatedProtocol(String negotiatedProtocol) {
         this.negotiatedProtocol = negotiatedProtocol;
     }
 
+    /**
+     * @return the sniHostName
+     */
+    public String getSniHostName() {
+        return this.sniHostName;
+    }
+
+    /**
+     * @param sniHostName the SNI host name to set
+     */
+    public void setSniHostName(String sniHostName) {
+        this.sniHostName = sniHostName;
+    }
+
     /**
      * Set the timeout for reading. Values of zero or less will be changed to -1.
      *

test/org/apache/catalina/startup/SimpleHttpClient.java

@@ -205,18 +205,28 @@ public String getRedirectUri() {
         return redirectUri;
     }
 
-    public void connect(int connectTimeout, int soTimeout)
-           throws UnknownHostException, IOException {
+    public void connect(Socket socket, int connectTimeout, int soTimeout, boolean connect) throws UnknownHostException, IOException {
         SocketAddress addr = new InetSocketAddress("localhost", port);
-        socket = new Socket();
+        this.socket = socket;
         socket.setSoTimeout(soTimeout);
-        socket.connect(addr,connectTimeout);
+        if (connect) {
+            socket.connect(addr, connectTimeout);
+        }
         OutputStream os = createOutputStream(socket);
         writer = new OutputStreamWriter(os, requestBodyEncoding);
         InputStream is = socket.getInputStream();
         Reader r = new InputStreamReader(is, responseBodyEncoding);
         reader = new BufferedReader(r);
     }
+
+    public void connect(int connectTimeout, int soTimeout) throws UnknownHostException, IOException {
+        connect(new Socket(), 10000, 10000, true);
+    }
+
+    public void connect(Socket socket) throws UnknownHostException, IOException {
+        connect(socket, 10000, 10000, false);
+    }
+
     public void connect() throws UnknownHostException, IOException {
         connect(10000, 10000);
     }