8294474: Better AES support

Reviewed-by: ahgross, ascarpino
2025-08-28 15:24:43 +02:00 · 2023-01-06 23:17:41 +00:00 · 2023-01-06 23:17:41 +00:00 · 14aad787a8
commit 14aad787a8
parent a0f7ae1a95
4 changed files with 22 additions and 13 deletions
--- a/src/java.base/share/classes/sun/security/ssl/KeyUpdate.java
+++ b/src/java.base/share/classes/sun/security/ssl/KeyUpdate.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2023, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -170,7 +170,9 @@ final class KeyUpdate {
        public byte[] produce(ConnectionContext context) throws IOException {
            PostHandshakeContext hc = (PostHandshakeContext)context;
            return handshakeProducer.produce(context,
-                    new KeyUpdateMessage(hc, KeyUpdateRequest.REQUESTED));
+                    new KeyUpdateMessage(hc, hc.conContext.isInboundClosed() ?
+                            KeyUpdateRequest.NOTREQUESTED :
+                            KeyUpdateRequest.REQUESTED));
        }
    }

--- a/src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java
+++ b/src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -394,11 +394,11 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
     */
    private HandshakeStatus tryKeyUpdate(
            HandshakeStatus currentHandshakeStatus) throws IOException {
-        // Don't bother to kickstart if handshaking is in progress, or if the
-        // connection is not duplex-open.
+        // Don't bother to kickstart if handshaking is in progress, or if
+        // the write side of the connection is not open.  We allow a half-
+        // duplex write-only connection for key updates.
        if ((conContext.handshakeContext == null) &&
                !conContext.isOutboundClosed() &&
-                !conContext.isInboundClosed() &&
                !conContext.isBroken) {
            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
                SSLLogger.finest("trigger key update");
--- a/src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java
+++ b/src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2023, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -1537,11 +1537,11 @@ public final class SSLSocketImpl
     * wrapped.
     */
    private void tryKeyUpdate() throws IOException {
-        // Don't bother to kickstart if handshaking is in progress, or if the
-        // connection is not duplex-open.
+        // Don't bother to kickstart if handshaking is in progress, or if
+        // the write side of the connection is not open.  We allow a half-
+        // duplex write-only connection for key updates.
        if ((conContext.handshakeContext == null) &&
                !conContext.isOutboundClosed() &&
-                !conContext.isInboundClosed() &&
                !conContext.isBroken) {
            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
                SSLLogger.finest("trigger key update");
--- a/src/java.base/share/classes/sun/security/ssl/TransportContext.java
+++ b/src/java.base/share/classes/sun/security/ssl/TransportContext.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2023, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -219,7 +219,14 @@ final class TransportContext implements ConnectionContext {
            throw new IllegalStateException("Client/Server mode not yet set.");
        }

-        if (outputRecord.isClosed() || inputRecord.isClosed() || isBroken) {
+        // The threshold for allowing the method to continue processing
+        // depends on whether we are doing a key update or kickstarting
+        // a handshake.  In the former case, we only require the write-side
+        // to be open where a handshake would require a full duplex connection.
+        boolean isNotUsable = outputRecord.writeCipher.atKeyLimit() ?
+            (outputRecord.isClosed() || isBroken) :
+            (outputRecord.isClosed() || inputRecord.isClosed() || isBroken);
+        if (isNotUsable) {
            if (closeReason != null) {
                throw new SSLException(
                        "Cannot kickstart, the connection is broken or closed",
@ -247,7 +254,7 @@ final class TransportContext implements ConnectionContext {
        //
        // Need no kickstart message on server side unless the connection
        // has been established.
-        if(isNegotiated || sslConfig.isClientMode) {
+        if (isNegotiated || sslConfig.isClientMode) {
           handshakeContext.kickstart();
        }
    }