Integrated: 8263779: SSLEngine reports NEED_WRAP continuously without producing any further output

Xue-Lei Andrew Fan xuelei at openjdk.java.net
Wed Apr 28 03:24:57 UTC 2021


On Wed, 31 Mar 2021 20:52:57 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:

> As described in the bug, by connecting the SSLEngine with a misbehaving peer SSL implementation, it can get into a state where it calling `wrap` reports getStatus == OK, getHandshakeStatus === NEED_WRAP but still doesn't produce any further output.   It happens when the output bound is not empty.
> 
> It is caused by a mismatching condition in the SSLEngineOutputRecord.  The use hasAlert() method should be replaced with isEmpty().  Otherwise, there is conflicts of the closing status while checking with OutputRecord.isEmpty() in TransportContext.getHandshakeStatus() implementation.  It is safe to remove hasAlert() method, as we don't allow creation of new output record if the closure is in progress, thus isEmpty() could be used instead.
> 
> The patch passed the test provided by the bug submitter.

This pull request has now been integrated.

Changeset: 1a37bce5
Author:    Xue-Lei Andrew Fan <xuelei at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/1a37bce5afc55ad13d1406a989dbf58992746204
Stats:     54 lines in 4 files changed: 10 ins; 14 del; 30 mod

8263779: SSLEngine reports NEED_WRAP continuously without producing any further output

Reviewed-by: wetmore

-------------

PR: https://git.openjdk.java.net/jdk/pull/3292


More information about the security-dev mailing list