mirror of
https://github.com/openjdk/jdk.git
synced 2025-09-22 03:54:33 +02:00
8217094: HttpClient SSL race if a socket IOException is raised before ALPN is available
The patch makes suer that the SSLFlowDelegate's ALPN CF is always completed Reviewed-by: chegar
This commit is contained in:
Daniel Fuchs
parent
f31819f7c5
commit
3b68bb2960
6 changed files with 360 additions and 20 deletions
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2017, 2018, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2017, 2019, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
|
|
@ -32,6 +32,7 @@ import javax.net.ssl.SSLEngineResult;
|
|||
import javax.net.ssl.SSLEngineResult.HandshakeStatus;
|
||||
import javax.net.ssl.SSLEngineResult.Status;
|
||||
import javax.net.ssl.SSLException;
|
||||
import javax.net.ssl.SSLHandshakeException;
|
||||
import java.io.IOException;
|
||||
import java.lang.ref.Reference;
|
||||
import java.lang.ref.ReferenceQueue;
|
||||
|
|
@ -109,6 +110,7 @@ public class SSLFlowDelegate {
|
|||
volatile boolean close_notify_received;
|
||||
final CompletableFuture<Void> readerCF;
|
||||
final CompletableFuture<Void> writerCF;
|
||||
final CompletableFuture<Void> stopCF;
|
||||
final Consumer<ByteBuffer> recycler;
|
||||
static AtomicInteger scount = new AtomicInteger(1);
|
||||
final int id;
|
||||
|
|
@ -149,8 +151,7 @@ public class SSLFlowDelegate {
|
|||
this.writerCF = reader.completion();
|
||||
readerCF.exceptionally(this::stopOnError);
|
||||
writerCF.exceptionally(this::stopOnError);
|
||||
|
||||
CompletableFuture.allOf(reader.completion(), writer.completion())
|
||||
this.stopCF = CompletableFuture.allOf(reader.completion(), writer.completion())
|
||||
.thenRun(this::normalStop);
|
||||
this.alpnCF = new MinimalFuture<>();
|
||||
|
||||
|
|
@ -302,7 +303,9 @@ public class SSLFlowDelegate {
|
|||
return "READER: " + super.toString() + ", readBuf: " + readBuf.toString()
|
||||
+ ", count: " + count.toString() + ", scheduler: "
|
||||
+ (scheduler.isStopped() ? "stopped" : "running")
|
||||
+ ", status: " + lastUnwrapStatus;
|
||||
+ ", status: " + lastUnwrapStatus
|
||||
+ ", handshakeState: " + handshakeState.get()
|
||||
+ ", engine: " + engine.getHandshakeStatus();
|
||||
}
|
||||
|
||||
private void reallocReadBuf() {
|
||||
|
|
@ -429,6 +432,8 @@ public class SSLFlowDelegate {
|
|||
if (complete && result.status() == Status.CLOSED) {
|
||||
if (debugr.on()) debugr.log("Closed: completing");
|
||||
outgoing(Utils.EMPTY_BB_LIST, true);
|
||||
// complete ALPN if not yet completed
|
||||
setALPN();
|
||||
return;
|
||||
}
|
||||
if (result.handshaking()) {
|
||||
|
|
@ -437,11 +442,7 @@ public class SSLFlowDelegate {
|
|||
if (doHandshake(result, READER)) continue; // need unwrap
|
||||
else break; // doHandshake will have triggered the write scheduler if necessary
|
||||
} else {
|
||||
if ((handshakeState.getAndSet(NOT_HANDSHAKING) & ~DOING_TASKS) == HANDSHAKING) {
|
||||
handshaking = false;
|
||||
applicationBufferSize = engine.getSession().getApplicationBufferSize();
|
||||
packetBufferSize = engine.getSession().getPacketBufferSize();
|
||||
setALPN();
|
||||
if (trySetALPN()) {
|
||||
resumeActivity();
|
||||
}
|
||||
}
|
||||
|
|
@ -741,6 +742,8 @@ public class SSLFlowDelegate {
|
|||
if (!upstreamCompleted) {
|
||||
upstreamCompleted = true;
|
||||
upstreamSubscription.cancel();
|
||||
// complete ALPN if not yet completed
|
||||
setALPN();
|
||||
}
|
||||
if (result.bytesProduced() <= 0)
|
||||
return;
|
||||
|
|
@ -758,10 +761,7 @@ public class SSLFlowDelegate {
|
|||
doHandshake(result, WRITER); // ok to ignore return
|
||||
handshaking = true;
|
||||
} else {
|
||||
if ((handshakeState.getAndSet(NOT_HANDSHAKING) & ~DOING_TASKS) == HANDSHAKING) {
|
||||
applicationBufferSize = engine.getSession().getApplicationBufferSize();
|
||||
packetBufferSize = engine.getSession().getPacketBufferSize();
|
||||
setALPN();
|
||||
if (trySetALPN()) {
|
||||
resumeActivity();
|
||||
}
|
||||
}
|
||||
|
|
@ -914,11 +914,25 @@ public class SSLFlowDelegate {
|
|||
stopped = true;
|
||||
reader.stop();
|
||||
writer.stop();
|
||||
// make sure the alpnCF is completed.
|
||||
if (!alpnCF.isDone()) {
|
||||
Throwable alpn = new SSLHandshakeException(
|
||||
"Connection closed before successful ALPN negotiation");
|
||||
alpnCF.completeExceptionally(alpn);
|
||||
}
|
||||
if (isMonitored) Monitor.remove(monitor);
|
||||
}
|
||||
|
||||
private Void stopOnError(Throwable currentlyUnused) {
|
||||
private Void stopOnError(Throwable error) {
|
||||
// maybe log, etc
|
||||
// ensure the ALPN is completed
|
||||
// We could also do this in SSLTube.SSLSubscriberWrapper
|
||||
// onError/onComplete - with the caveat that the ALP CF
|
||||
// would get completed externally. Doing it here keeps
|
||||
// it all inside SSLFlowDelegate.
|
||||
if (!alpnCF.isDone()) {
|
||||
alpnCF.completeExceptionally(error);
|
||||
}
|
||||
normalStop();
|
||||
return null;
|
||||
}
|
||||
|
|
@ -1070,6 +1084,11 @@ public class SSLFlowDelegate {
|
|||
}
|
||||
} while (true);
|
||||
if (debug.on()) debug.log("finished task execution");
|
||||
HandshakeStatus hs = engine.getHandshakeStatus();
|
||||
if (hs == HandshakeStatus.FINISHED || hs == HandshakeStatus.NOT_HANDSHAKING) {
|
||||
// We're no longer handshaking, try setting ALPN
|
||||
trySetALPN();
|
||||
}
|
||||
resumeActivity();
|
||||
} catch (Throwable t) {
|
||||
handleError(t);
|
||||
|
|
@ -1077,6 +1096,17 @@ public class SSLFlowDelegate {
|
|||
});
|
||||
}
|
||||
|
||||
boolean trySetALPN() {
|
||||
// complete ALPN CF if needed.
|
||||
if ((handshakeState.getAndSet(NOT_HANDSHAKING) & ~DOING_TASKS) == HANDSHAKING) {
|
||||
applicationBufferSize = engine.getSession().getApplicationBufferSize();
|
||||
packetBufferSize = engine.getSession().getPacketBufferSize();
|
||||
setALPN();
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
// FIXME: acknowledge a received CLOSE request from peer
|
||||
EngineResult doClosure(EngineResult r) throws IOException {
|
||||
if (debug.on())
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2017, 2018, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2017, 2019, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
|
|
@ -274,7 +274,11 @@ public class SSLTube implements FlowTube {
|
|||
|
||||
@Override
|
||||
public String toString() {
|
||||
return "DelegateWrapper:" + delegate.toString();
|
||||
return "DelegateWrapper[subscribedCalled: " + subscribedCalled
|
||||
+", subscribedDone: " + subscribedDone
|
||||
+", completed: " + completed
|
||||
+", error: " + error
|
||||
+"]: " + delegate;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -288,6 +292,20 @@ public class SSLTube implements FlowTube {
|
|||
private final AtomicReference<Throwable> errorRef
|
||||
= new AtomicReference<>();
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
DelegateWrapper sub = subscribed;
|
||||
DelegateWrapper pend = pendingDelegate.get();
|
||||
// Though final sslFD may be null if called from within
|
||||
// SSLFD::connect() as SSLTube is not fully constructed yet.
|
||||
SSLFlowDelegate sslFD = sslDelegate;
|
||||
return "SSLSubscriberWrapper[" + SSLTube.this
|
||||
+ ", delegate: " + (sub == null ? pend :sub)
|
||||
+ ", getALPN: " + (sslFD == null ? null : sslFD.alpn())
|
||||
+ ", onCompleteReceived: " + onCompleteReceived
|
||||
+ ", onError: " + errorRef.get() + "]";
|
||||
}
|
||||
|
||||
// setDelegate can be called asynchronously when the SSLTube flow
|
||||
// is connected. At this time the permanent subscriber (this class)
|
||||
// may already be subscribed (readSubscription != null) or not.
|
||||
|
|
@ -319,6 +337,9 @@ public class SSLTube implements FlowTube {
|
|||
debug.log("SSLSubscriberWrapper (reader) no subscription yet");
|
||||
return;
|
||||
}
|
||||
// sslDelegate field should have been initialized by the
|
||||
// the time we reach here, as there can be no subscriber
|
||||
// until SSLTube is fully constructed.
|
||||
if (handleNow || !sslDelegate.resumeReader()) {
|
||||
processPendingSubscriber();
|
||||
}
|
||||
|
|
@ -429,7 +450,8 @@ public class SSLTube implements FlowTube {
|
|||
Throwable failed;
|
||||
boolean completed;
|
||||
// reset any demand that may have been made by the previous
|
||||
// subscriber
|
||||
// subscriber. sslDelegate field should have been initialized,
|
||||
// since we only reach here when there is a subscriber.
|
||||
sslDelegate.resetReaderDemand();
|
||||
// send the subscription to the subscriber.
|
||||
subscriberImpl.onSubscribe(subscription);
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2017, 2018, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2017, 2019, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
|
|
@ -468,7 +468,8 @@ public abstract class SubscriberWrapper
|
|||
.append(" outputQ size: ").append(Integer.toString(outputQ.size()))
|
||||
//.append(" outputQ: ").append(outputQ.toString())
|
||||
.append(" cf: ").append(cf.toString())
|
||||
.append(" downstreamSubscription: ").append(downstreamSubscription.toString());
|
||||
.append(" downstreamSubscription: ").append(downstreamSubscription)
|
||||
.append(" downstreamSubscriber: ").append(downstreamSubscriber);
|
||||
|
||||
return sb.toString();
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue