RFR: 8283577: SSLEngine.unwrap on read-only input ByteBuffer
Anthony Scarpino
ascarpino at openjdk.java.net
Wed May 11 23:07:40 UTC 2022
On Wed, 11 May 2022 00:31:23 GMT, Bradford Wetmore <wetmore at openjdk.org> wrote:
>> Hi,
>>
>> I need a review of this fix to allow a read-only 'src' buffer to be used with SSLEngine.unwrap(). A temporary read-write buffer is created in the SSLCipher operation when a read-only buffer is passed. If the 'src' is read-write, there is no effect on the current operation
>>
>> The PR also includes a CSR for an API implementation note to the SSLEngine.unwrap. The 'src' buffer may be modified during the decryption operation. 'unwrap()' has had this behavior forever, so there is no compatibility issue with this note. Using the 'src' buffer for in-place decryption was a performance decision.
>>
>> Tony
>
> test/jdk/javax/net/ssl/SSLSession/ReadOnlyEngine.java line 172:
>
>> 170: out.clear();
>> 171: String testString = "ASDF";
>> 172: in.put(testString.getBytes()).flip();
>
> If you're going to convert back from UTF_8 later, you should probably convert using getBytes(UTF_8) here.
setting the input to UTF8 isn't a concern. The latter line to decode it changes it from using the ByteBuffer.toString() to the contents of the ByteBuffer in a String.
> test/jdk/javax/net/ssl/SSLSession/ReadOnlyEngine.java line 188:
>
>> 186: in.clear();
>> 187: System.out.println("2: Server send: " + testString);
>> 188: in.put(testString.getBytes()).flip();
>
> Same
Same :)
> test/jdk/javax/net/ssl/SSLSession/ReadOnlyEngine.java line 189:
>
>> 187: System.out.println("2: Server send: " + testString);
>> 188: in.put(testString.getBytes()).flip();
>> 189: send(server, in, out);
>
> Did you want to try asReadOnlyBuffer() here also?
Yeah, they should have been. I must have undid it to test something
> test/jdk/javax/net/ssl/SSLSession/ReadOnlyEngine.java line 191:
>
>> 189: send(server, in, out);
>> 190: in.clear();
>> 191: receive(client, out, in);
>
> And here?
Same
-------------
PR: https://git.openjdk.java.net/jdk/pull/8462
More information about the security-dev
mailing list