[PING] [8u] RFR: 8214418 half-closed SSLEngine status may cause application dead loop

Alexey Bakhtin alexey at azul.com
Tue Jul 6 09:36:12 UTC 2021


Hello Takuya,

11u patch is applied clean and 8u backport is approved in https://bugs.openjdk.java.net/browse/JDK-8241054
If you don’t mind I can push the fix with original author and reviewers

Regards
Alexey

> On 10 Jun 2021, at 11:50, kiriyama.takuya at fujitsu.com wrote:
> 
> Hi Andrew,
> 
> Thank you for your reply.
> 
>> Please post the patch for review and I can handle the JBS side for you.
> 
> Please consider the following code:
> 
> diff -r -u a/src/share/classes/sun/security/ssl/Ciphertext.java b/src/share/classes/sun/security/ssl/Ciphertext.java
> --- a/src/share/classes/sun/security/ssl/Ciphertext.java	2021-06-09 21:26:26.762180800 +0900
> +++ b/src/share/classes/sun/security/ssl/Ciphertext.java	2021-06-10 09:00:33.660574600 +0900
> @@ -31,7 +31,6 @@
>  * Ciphertext
>  */
> final class Ciphertext {
> -    static final Ciphertext CIPHERTEXT_NULL = new Ciphertext();
> 
>     final byte contentType;
>     final byte handshakeType;
> diff -r -u a/src/share/classes/sun/security/ssl/SSLEngineImpl.java b/src/share/classes/sun/security/ssl/SSLEngineImpl.java
> --- a/src/share/classes/sun/security/ssl/SSLEngineImpl.java	2021-06-09 21:26:26.763148800 +0900
> +++ b/src/share/classes/sun/security/ssl/SSLEngineImpl.java	2021-06-10 09:19:42.665488000 +0900
> @@ -227,6 +227,19 @@
>             hsStatus = ciphertext.handshakeStatus;
>         } else {
>             hsStatus = getHandshakeStatus();
> +            if (ciphertext == null && !conContext.isNegotiated &&
> +                    conContext.isInboundClosed() &&
> +                    hsStatus == HandshakeStatus.NEED_WRAP) {
> +                // Even the outboud is open, no futher data could be wrapped as:
> +                //     1. the outbound is empty
> +                //     2. no negotiated connection
> +                //     3. the inbound has closed, cannot complete the handshake
> +                //
> +                // Mark the engine as closed if the handshake status is
> +                // NEED_WRAP. Otherwise, it could lead to dead loops in
> +                // applications.
> +                status = Status.CLOSED;
> +            }
>         }
> 
>         int deltaSrcs = srcsRemains;
> @@ -258,7 +271,7 @@
>         }
> 
>         if (ciphertext == null) {
> -            return Ciphertext.CIPHERTEXT_NULL;
> +            return null;
>         }
> 
>         // Is the handshake completed?
> diff -r -u a/src/share/classes/sun/security/ssl/TransportContext.java b/src/share/classes/sun/security/ssl/TransportContext.java
> --- a/src/share/classes/sun/security/ssl/TransportContext.java	2021-06-09 21:26:26.766062300 +0900
> +++ b/src/share/classes/sun/security/ssl/TransportContext.java	2021-06-10 09:14:04.842253500 +0900
> @@ -577,13 +577,7 @@
>                 // Special case that the inbound was closed, but outbound open.
>                 return HandshakeStatus.NEED_WRAP;
>             }
> -        } else if (isOutboundClosed() && !isInboundClosed()) {
> -            // Special case that the outbound was closed, but inbound open.
> -            return HandshakeStatus.NEED_UNWRAP;
> -        } else if (!isOutboundClosed() && isInboundClosed()) {
> -            // Special case that the inbound was closed, but outbound open.
> -            return HandshakeStatus.NEED_WRAP;
> -        }
> +        }   // Otherwise, both inbound and outbound are closed
> 
>         return HandshakeStatus.NOT_HANDSHAKING;
>     }
> 
>> I am confused with what you mean about the copyright year as
>> 
>> https://hg.openjdk.java.net/jdk-updates/jdk11u-dev/rev/6852be0de227
>> 
>> contains no copyright year changes.
> 
> I'm sorry, I was mistaken.
> It contains no copyright year changes.
> 
> Regards,
> Takuya Kiriyama
> 
>> -----Original Message-----
>> From: Andrew Hughes <gnu.andrew at redhat.com>
>> Sent: Wednesday, June 9, 2021 12:58 PM
>> To: Kiriyama, Takuya/桐山 卓弥 <kiriyama.takuya at fujitsu.com>
>> Cc: 'jdk8u-dev at openjdk.java.net' <jdk8u-dev at openjdk.java.net>
>> Subject: Re: [PING] RE: [8u] RFR: 8214418 half-closed SSLEngine status
>> may cause application dead loop
>> 
>> On 08:59 Mon 07 Jun     , kiriyama.takuya at fujitsu.com wrote:
>>> Hello,
>>> 
>>> Please reply if anyone can be a sponsor.
>>> 
>>> Regards,
>>> Takuya Kiriyama
>>> 
>>>> -----Original Message-----
>>>> From: Kiriyama, Takuya/桐山 卓弥
>>>> Sent: Monday, May 31, 2021 5:58 PM
>>>> To: 'jdk8u-dev at openjdk.java.net' <jdk8u-dev at openjdk.java.net>
>>>> Subject: [8u] RFR: 8214418 half-closed SSLEngine status may cause
>>>> application dead loop
>>>> 
>>>> Hi all,
>>>> 
>>>> The problem reported by JDK-8214418 occurs on JDK8.
>>>> I would like to backport 8214418 patch to 8u. But I don't have a JBS
>> account.
>>>> Could anybody help me as a sponsor of this backporting ?
>>>> 
>>>> https://bugs.openjdk.java.net/browse/JDK-8214418
>>>> https://hg.openjdk.java.net/jdk/jdk/rev/5022a4915fe9
>>>> 
>>>> I don't have access permission to
>>>> https://bugs.openjdk.java.net/browse/JDK-8214418.
>> 
>> Neither do I. It looks like the bug is closed. We'll use 8241054 instead.
>> 
>>>> I can confirm that 8214418 has been backported to JDK11.
>>>> https://bugs.openjdk.java.net/browse/JDK-8241054
>>>> https://hg.openjdk.java.net/jdk-updates/jdk11u/rev/6852be0de227
>>>> 
>>>> Original patch applied almost clean except for copyright year.
>>>> I have confirmed that the problem does not occur after backporting with
>> 8u.
>> 
>> Please post the patch for review and I can handle the JBS side for you.
>> 
>> I am confused with what you mean about the copyright year as
>> 
>> https://hg.openjdk.java.net/jdk-updates/jdk11u-dev/rev/6852be0de227
>> 
>> contains no copyright year changes.
>> 
>>>> 
>>>> Regards,
>>>> Takuya Kiriyama
>>> 
>> 
>> Thanks,
>> --
>> Andrew :)
>> 
>> Senior Free Java Software Engineer
>> OpenJDK Package Owner
>> Red Hat, Inc. (http://www.redhat.com)
>> 
>> PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) Fingerprint
>> = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222



More information about the jdk8u-dev mailing list