RFR: 8263779: SSLEngine reports NEED_WRAP continuously without producing any further output [v3]
Xue-Lei Andrew Fan
xuelei at openjdk.java.net
Wed Apr 28 00:26:15 UTC 2021
> As described in the bug, by connecting the SSLEngine with a misbehaving peer SSL implementation, it can get into a state where it calling `wrap` reports getStatus == OK, getHandshakeStatus === NEED_WRAP but still doesn't produce any further output. It happens when the output bound is not empty.
>
> It is caused by a mismatching condition in the SSLEngineOutputRecord. The use hasAlert() method should be replaced with isEmpty(). Otherwise, there is conflicts of the closing status while checking with OutputRecord.isEmpty() in TransportContext.getHandshakeStatus() implementation. It is safe to remove hasAlert() method, as we don't allow creation of new output record if the closure is in progress, thus isEmpty() could be used instead.
>
> The patch passed the test provided by the bug submitter.
Xue-Lei Andrew Fan has updated the pull request incrementally with one additional commit since the last revision:
Update copyright date and typo correction
-------------
Changes:
- all: https://git.openjdk.java.net/jdk/pull/3292/files
- new: https://git.openjdk.java.net/jdk/pull/3292/files/989e9ad3..03a0dc60
Webrevs:
- full: https://webrevs.openjdk.java.net/?repo=jdk&pr=3292&range=02
- incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=3292&range=01-02
Stats: 2 lines in 1 file changed: 0 ins; 1 del; 1 mod
Patch: https://git.openjdk.java.net/jdk/pull/3292.diff
Fetch: git fetch https://git.openjdk.java.net/jdk pull/3292/head:pull/3292
PR: https://git.openjdk.java.net/jdk/pull/3292
More information about the security-dev
mailing list