[
https://issues.apache.org/jira/browse/KNOX-3172?focusedWorklogId=976260&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-976260
]
ASF GitHub Bot logged work on KNOX-3172:
----------------------------------------
Author: ASF GitHub Bot
Created on: 25/Jul/25 12:59
Start Date: 25/Jul/25 12:59
Worklog Time Spent: 10m
Work Description: smolnar82 commented on code in PR #1065:
URL: https://github.com/apache/knox/pull/1065#discussion_r2231026178
##########
gateway-spi/src/main/java/org/apache/knox/gateway/fips/BCInterceptingSocket.java:
##########
@@ -0,0 +1,275 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.fips;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.lang.reflect.InvocationTargetException;
+import java.net.InetAddress;
+import java.net.Socket;
+import java.net.SocketAddress;
+import java.net.SocketException;
+import java.net.SocketOption;
+import java.nio.channels.SocketChannel;
+import java.util.Set;
+
+public class BCInterceptingSocket extends Socket {
+ private final Socket delegate;
+
+ public BCInterceptingSocket(Socket delegate) throws IOException {
+ this.delegate = delegate;
+ }
+
+ @Override
+ public OutputStream getOutputStream() throws IOException {
+ OutputStream originalOutputStream = delegate.getOutputStream();
+ return new BCInterceptingOutputStream(originalOutputStream);
+ }
+
+ @Override
+ public InputStream getInputStream() throws IOException {
+ return delegate.getInputStream();
+ }
+
+ @Override
+ public void connect(SocketAddress endpoint) throws IOException {
+ delegate.connect(endpoint);
+ }
+
+ @Override
+ public void connect(SocketAddress endpoint, int timeout) throws
IOException {
+ delegate.connect(endpoint, timeout);
+ }
+
+ @Override
+ public void bind(SocketAddress bindpoint) throws IOException {
+ delegate.bind(bindpoint);
+ }
+
+ @Override
+ public void close() throws IOException {
+ delegate.close();
+ }
+
+ @Override
+ public boolean isConnected() {
+ return delegate.isConnected();
+ }
+
+ @Override
+ public boolean isClosed() {
+ return delegate.isClosed();
+ }
+
+ @Override
+ public boolean isInputShutdown() {
+ return delegate.isInputShutdown();
+ }
+
+ @Override
+ public boolean isOutputShutdown() {
+ return delegate.isOutputShutdown();
+ }
+
+ @Override
+ public void shutdownInput() throws IOException {
+ delegate.shutdownInput();
+ }
+
+ @Override
+ public void shutdownOutput() throws IOException {
+ delegate.shutdownOutput();
+ }
+
+ @Override
+ public InetAddress getInetAddress() {
+ return delegate.getInetAddress();
+ }
+
+ @Override
+ public InetAddress getLocalAddress() {
+ return delegate.getLocalAddress();
+ }
+
+ @Override
+ public int getPort() {
+ return delegate.getPort();
+ }
+
+ @Override
+ public int getLocalPort() {
+ return delegate.getLocalPort();
+ }
+
+ @Override
+ public SocketAddress getRemoteSocketAddress() {
+ return delegate.getRemoteSocketAddress();
+ }
+
+ @Override
+ public boolean isBound() {
+ return delegate.isBound();
+ }
+
+ @Override
+ public boolean getReuseAddress() throws SocketException {
+ return delegate.getReuseAddress();
+ }
+
+ @Override
+ public void setReuseAddress(boolean on) throws SocketException {
+ delegate.setReuseAddress(on);
+ }
+
+ @Override
+ public int getTrafficClass() throws SocketException {
+ return delegate.getTrafficClass();
+ }
+
+ @Override
+ public void setTrafficClass(int tc) throws SocketException {
+ delegate.setTrafficClass(tc);
+ }
+
+ @Override
+ public boolean getKeepAlive() throws SocketException {
+ return delegate.getKeepAlive();
+ }
+
+ @Override
+ public void setKeepAlive(boolean on) throws SocketException {
+ delegate.setKeepAlive(on);
+ }
+
+ @Override
+ public SocketAddress getLocalSocketAddress() {
+ return delegate.getLocalSocketAddress();
+ }
+
+ @Override
+ public SocketChannel getChannel() {
+ return delegate.getChannel();
+ }
+
+ @Override
+ public void setTcpNoDelay(boolean on) throws SocketException {
+ delegate.setTcpNoDelay(on);
+ }
+
+ @Override
+ public boolean getTcpNoDelay() throws SocketException {
+ return delegate.getTcpNoDelay();
+ }
+
+ @Override
+ public void setSoLinger(boolean on, int linger) throws SocketException {
+ delegate.setSoLinger(on, linger);
+ }
+
+ @Override
+ public int getSoLinger() throws SocketException {
+ return delegate.getSoLinger();
+ }
+
+ @Override
+ public void sendUrgentData(int data) throws IOException {
+ delegate.sendUrgentData(data);
+ }
+
+ @Override
+ public void setOOBInline(boolean on) throws SocketException {
+ delegate.setOOBInline(on);
+ }
+
+ @Override
+ public boolean getOOBInline() throws SocketException {
+ return delegate.getOOBInline();
+ }
+
+ @Override
+ public void setSoTimeout(int timeout) throws SocketException {
+ delegate.setSoTimeout(timeout);
+ }
+
+ @Override
+ public int getSoTimeout() throws SocketException {
+ return delegate.getSoTimeout();
+ }
+
+ @Override
+ public void setSendBufferSize(int size) throws SocketException {
+ delegate.setSendBufferSize(size);
+ }
+
+ @Override
+ public int getSendBufferSize() throws SocketException {
+ return delegate.getSendBufferSize();
+ }
+
+ @Override
+ public void setReceiveBufferSize(int size) throws SocketException {
+ delegate.setReceiveBufferSize(size);
+ }
+
+ @Override
+ public int getReceiveBufferSize() throws SocketException {
+ return delegate.getReceiveBufferSize();
+ }
+
+ @Override
+ public void setPerformancePreferences(int connectionTime,
+ int latency,
+ int bandwidth) {
+ delegate.setPerformancePreferences(connectionTime, latency, bandwidth);
+ }
+
+ /**
+ * This method is only available in JDK9+ therefor reflection is used to
call it.
Review Comment:
nit: typo (`therefore` vs. `therefor`)
Issue Time Tracking
-------------------
Worklog Id: (was: 976260)
Time Spent: 20m (was: 10m)
> BouncyCastle FIPS provider Broken Pipe exception
> ------------------------------------------------
>
> Key: KNOX-3172
> URL: https://issues.apache.org/jira/browse/KNOX-3172
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 2.1.0
> Reporter: Tamás Hanicz
> Assignee: Tamás Hanicz
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> The BC FIPS provider causes a SocketException with 'Broken Pipe' message on
> FIPS clusters. When there is a *connection: close* header in the response
> Knox tries to close the connection however there is an exception coming from
> BC. It tries to write to the already closed connection and we get the Broken
> Pipe issue and it results in HTTP 500 responses from Knox.
> The solution catches and ignores this exception on the socket level. The
> intercepting socket would only load if FIPS arg is provided for Knox. This
> arg is defaults to com.safelogic.cryptocomply.fips.approved_only=true and can
> be changed in the gateway-site.xml.
> {code:java}
> java.net.SocketException: Broken pipe (Write failed)at
> java.net.SocketOutputStream.socketWrite0(Native Method)at
> java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:111)at
> java.net.SocketOutputStream.write(SocketOutputStream.java:155)at
> org.bouncycastle.tls.RecordStream.writeRecord(RecordStream.java:307)at
> org.bouncycastle.tls.TlsProtocol.safeWriteRecord(TlsProtocol.java:927)at
> org.bouncycastle.tls.TlsProtocol.raiseAlertWarning(TlsProtocol.java:1602)at
> org.bouncycastle.tls.TlsProtocol.handleClose(TlsProtocol.java:299)at
> org.bouncycastle.tls.TlsProtocol.close(TlsProtocol.java:1780)at
> org.bouncycastle.jsse.provider.ProvSSLSocketWrap.close(ProvSSLSocketWrap.java:154){code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
