From d12de47b54eee411e7f41b2066fea15b1b93c51e Mon Sep 17 00:00:00 2001 From: justinwm Date: Tue, 13 Jun 2023 10:34:31 +0800 Subject: fix-CVE-2023-21930 --- .../share/classes/sun/security/ssl/KeyUpdate.java | 6 ++++-- .../classes/sun/security/ssl/SSLEngineImpl.java | 8 ++++---- .../classes/sun/security/ssl/SSLSocketImpl.java | 8 ++++---- .../classes/sun/security/ssl/TransportContext.java | 13 ++++++++++--- 4 files changed, 22 insertions(+), 13 deletions(-) diff --git a/openjdk/jdk/src/share/classes/sun/security/ssl/KeyUpdate.java b/openjdk/jdk/src/share/classes/sun/security/ssl/KeyUpdate.java index 1306344..9e921e6 100644 --- a/openjdk/jdk/src/share/classes/sun/security/ssl/KeyUpdate.java +++ b/openjdk/jdk/src/share/classes/sun/security/ssl/KeyUpdate.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -169,7 +169,9 @@ final class KeyUpdate { public byte[] produce(ConnectionContext context) throws IOException { PostHandshakeContext hc = (PostHandshakeContext)context; return handshakeProducer.produce(context, - new KeyUpdateMessage(hc, KeyUpdateRequest.REQUESTED)); + new KeyUpdateMessage(hc, hc.conContext.isInboundClosed() ? + KeyUpdateRequest.NOTREQUESTED : + KeyUpdateRequest.REQUESTED)); } } diff --git a/openjdk/jdk/src/share/classes/sun/security/ssl/SSLEngineImpl.java b/openjdk/jdk/src/share/classes/sun/security/ssl/SSLEngineImpl.java index ef64c7b..05ffb8a 100644 --- a/openjdk/jdk/src/share/classes/sun/security/ssl/SSLEngineImpl.java +++ b/openjdk/jdk/src/share/classes/sun/security/ssl/SSLEngineImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -325,11 +325,11 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport { */ private HandshakeStatus tryKeyUpdate( HandshakeStatus currentHandshakeStatus) throws IOException { - // Don't bother to kickstart if handshaking is in progress, or if the - // connection is not duplex-open. + // Don't bother to kickstart if handshaking is in progress, or if + // the write side of the connection is not open. We allow a half- + // duplex write-only connection for key updates. if ((conContext.handshakeContext == null) && !conContext.isOutboundClosed() && - !conContext.isInboundClosed() && !conContext.isBroken) { if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { SSLLogger.finest("trigger key update"); diff --git a/openjdk/jdk/src/share/classes/sun/security/ssl/SSLSocketImpl.java b/openjdk/jdk/src/share/classes/sun/security/ssl/SSLSocketImpl.java index ab93e30..b2ded0e 100644 --- a/openjdk/jdk/src/share/classes/sun/security/ssl/SSLSocketImpl.java +++ b/openjdk/jdk/src/share/classes/sun/security/ssl/SSLSocketImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -1428,11 +1428,11 @@ public final class SSLSocketImpl * wrapped. */ private void tryKeyUpdate() throws IOException { - // Don't bother to kickstart if handshaking is in progress, or if the - // connection is not duplex-open. + // Don't bother to kickstart if handshaking is in progress, or if + // the write side of the connection is not open. We allow a half- + // duplex write-only connection for key updates. if ((conContext.handshakeContext == null) && !conContext.isOutboundClosed() && - !conContext.isInboundClosed() && !conContext.isBroken) { if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { SSLLogger.finest("trigger key update"); diff --git a/openjdk/jdk/src/share/classes/sun/security/ssl/TransportContext.java b/openjdk/jdk/src/share/classes/sun/security/ssl/TransportContext.java index 416113e..9427ed7 100644 --- a/openjdk/jdk/src/share/classes/sun/security/ssl/TransportContext.java +++ b/openjdk/jdk/src/share/classes/sun/security/ssl/TransportContext.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -200,7 +200,14 @@ class TransportContext implements ConnectionContext { throw new IllegalStateException("Client/Server mode not yet set."); } - if (outputRecord.isClosed() || inputRecord.isClosed() || isBroken) { + // The threshold for allowing the method to continue processing + // depends on whether we are doing a key update or kickstarting + // a handshake. In the former case, we only require the write-side + // to be open where a handshake would require a full duplex connection. + boolean isNotUsable = outputRecord.writeCipher.atKeyLimit() ? + (outputRecord.isClosed() || isBroken) : + (outputRecord.isClosed() || inputRecord.isClosed() || isBroken); + if (isNotUsable) { if (closeReason != null) { throw new SSLException( "Cannot kickstart, the connection is broken or closed", @@ -227,7 +234,7 @@ class TransportContext implements ConnectionContext { // // Need no kickstart message on server side unless the connection // has been established. - if(isNegotiated || sslConfig.isClientMode) { + if (isNegotiated || sslConfig.isClientMode) { handshakeContext.kickstart(); } } -- 2.39.2 (Apple Git-143)