[PING] [8u] RFR: 8214418 half-closed SSLEngine status may cause application dead loop
Alexey Bakhtin
alexey at azul.com
Tue Jul 6 09:36:12 UTC 2021
Hello Takuya,
11u patch is applied clean and 8u backport is approved in https://bugs.openjdk.java.net/browse/JDK-8241054
If you don’t mind I can push the fix with original author and reviewers
Regards
Alexey
> On 10 Jun 2021, at 11:50, kiriyama.takuya at fujitsu.com wrote:
>
> Hi Andrew,
>
> Thank you for your reply.
>
>> Please post the patch for review and I can handle the JBS side for you.
>
> Please consider the following code:
>
> diff -r -u a/src/share/classes/sun/security/ssl/Ciphertext.java b/src/share/classes/sun/security/ssl/Ciphertext.java
> --- a/src/share/classes/sun/security/ssl/Ciphertext.java 2021-06-09 21:26:26.762180800 +0900
> +++ b/src/share/classes/sun/security/ssl/Ciphertext.java 2021-06-10 09:00:33.660574600 +0900
> @@ -31,7 +31,6 @@
> * Ciphertext
> */
> final class Ciphertext {
> - static final Ciphertext CIPHERTEXT_NULL = new Ciphertext();
>
> final byte contentType;
> final byte handshakeType;
> diff -r -u a/src/share/classes/sun/security/ssl/SSLEngineImpl.java b/src/share/classes/sun/security/ssl/SSLEngineImpl.java
> --- a/src/share/classes/sun/security/ssl/SSLEngineImpl.java 2021-06-09 21:26:26.763148800 +0900
> +++ b/src/share/classes/sun/security/ssl/SSLEngineImpl.java 2021-06-10 09:19:42.665488000 +0900
> @@ -227,6 +227,19 @@
> hsStatus = ciphertext.handshakeStatus;
> } else {
> hsStatus = getHandshakeStatus();
> + if (ciphertext == null && !conContext.isNegotiated &&
> + conContext.isInboundClosed() &&
> + hsStatus == HandshakeStatus.NEED_WRAP) {
> + // Even the outboud is open, no futher data could be wrapped as:
> + // 1. the outbound is empty
> + // 2. no negotiated connection
> + // 3. the inbound has closed, cannot complete the handshake
> + //
> + // Mark the engine as closed if the handshake status is
> + // NEED_WRAP. Otherwise, it could lead to dead loops in
> + // applications.
> + status = Status.CLOSED;
> + }
> }
>
> int deltaSrcs = srcsRemains;
> @@ -258,7 +271,7 @@
> }
>
> if (ciphertext == null) {
> - return Ciphertext.CIPHERTEXT_NULL;
> + return null;
> }
>
> // Is the handshake completed?
> diff -r -u a/src/share/classes/sun/security/ssl/TransportContext.java b/src/share/classes/sun/security/ssl/TransportContext.java
> --- a/src/share/classes/sun/security/ssl/TransportContext.java 2021-06-09 21:26:26.766062300 +0900
> +++ b/src/share/classes/sun/security/ssl/TransportContext.java 2021-06-10 09:14:04.842253500 +0900
> @@ -577,13 +577,7 @@
> // Special case that the inbound was closed, but outbound open.
> return HandshakeStatus.NEED_WRAP;
> }
> - } else if (isOutboundClosed() && !isInboundClosed()) {
> - // Special case that the outbound was closed, but inbound open.
> - return HandshakeStatus.NEED_UNWRAP;
> - } else if (!isOutboundClosed() && isInboundClosed()) {
> - // Special case that the inbound was closed, but outbound open.
> - return HandshakeStatus.NEED_WRAP;
> - }
> + } // Otherwise, both inbound and outbound are closed
>
> return HandshakeStatus.NOT_HANDSHAKING;
> }
>
>> I am confused with what you mean about the copyright year as
>>
>> https://hg.openjdk.java.net/jdk-updates/jdk11u-dev/rev/6852be0de227
>>
>> contains no copyright year changes.
>
> I'm sorry, I was mistaken.
> It contains no copyright year changes.
>
> Regards,
> Takuya Kiriyama
>
>> -----Original Message-----
>> From: Andrew Hughes <gnu.andrew at redhat.com>
>> Sent: Wednesday, June 9, 2021 12:58 PM
>> To: Kiriyama, Takuya/桐山 卓弥 <kiriyama.takuya at fujitsu.com>
>> Cc: 'jdk8u-dev at openjdk.java.net' <jdk8u-dev at openjdk.java.net>
>> Subject: Re: [PING] RE: [8u] RFR: 8214418 half-closed SSLEngine status
>> may cause application dead loop
>>
>> On 08:59 Mon 07 Jun , kiriyama.takuya at fujitsu.com wrote:
>>> Hello,
>>>
>>> Please reply if anyone can be a sponsor.
>>>
>>> Regards,
>>> Takuya Kiriyama
>>>
>>>> -----Original Message-----
>>>> From: Kiriyama, Takuya/桐山 卓弥
>>>> Sent: Monday, May 31, 2021 5:58 PM
>>>> To: 'jdk8u-dev at openjdk.java.net' <jdk8u-dev at openjdk.java.net>
>>>> Subject: [8u] RFR: 8214418 half-closed SSLEngine status may cause
>>>> application dead loop
>>>>
>>>> Hi all,
>>>>
>>>> The problem reported by JDK-8214418 occurs on JDK8.
>>>> I would like to backport 8214418 patch to 8u. But I don't have a JBS
>> account.
>>>> Could anybody help me as a sponsor of this backporting ?
>>>>
>>>> https://bugs.openjdk.java.net/browse/JDK-8214418
>>>> https://hg.openjdk.java.net/jdk/jdk/rev/5022a4915fe9
>>>>
>>>> I don't have access permission to
>>>> https://bugs.openjdk.java.net/browse/JDK-8214418.
>>
>> Neither do I. It looks like the bug is closed. We'll use 8241054 instead.
>>
>>>> I can confirm that 8214418 has been backported to JDK11.
>>>> https://bugs.openjdk.java.net/browse/JDK-8241054
>>>> https://hg.openjdk.java.net/jdk-updates/jdk11u/rev/6852be0de227
>>>>
>>>> Original patch applied almost clean except for copyright year.
>>>> I have confirmed that the problem does not occur after backporting with
>> 8u.
>>
>> Please post the patch for review and I can handle the JBS side for you.
>>
>> I am confused with what you mean about the copyright year as
>>
>> https://hg.openjdk.java.net/jdk-updates/jdk11u-dev/rev/6852be0de227
>>
>> contains no copyright year changes.
>>
>>>>
>>>> Regards,
>>>> Takuya Kiriyama
>>>
>>
>> Thanks,
>> --
>> Andrew :)
>>
>> Senior Free Java Software Engineer
>> OpenJDK Package Owner
>> Red Hat, Inc. (http://www.redhat.com)
>>
>> PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) Fingerprint
>> = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
More information about the jdk8u-dev
mailing list