I agree with Chris here that doing in-place modification of the source buffer is really surprising even if it’s not read-only. This really sounds like something I would consider a „breaking change“ as I can’t imagine users would expect this at all (nothing was ever in the javadocs that would suggest this behavior)
Bye Norman > Am 24.03.2022 um 21:32 schrieb Bradford Wetmore <bradford.wetm...@oracle.com>: > > Problem easily duplicated, thanks for the reproducer. > > I've updated the bug with the info. > > Brad > > >> On 3/24/2022 9:13 AM, Chris Vest wrote: >> On Wed, Mar 23, 2022 at 10:38 AM Bradford Wetmore >> <bradford.wetm...@oracle.com <mailto:bradford.wetm...@oracle.com>> wrote: >> Offhand, sounds like a bug to me. I've filed: >> https://bugs.openjdk.java.net/browse/JDK-8283577 >> <https://bugs.openjdk.java.net/browse/JDK-8283577> >> Thanks. The in-place use of the input buffer might also be unexpected even >> when the buffer is not read-only. >> By chance, do you have a simple reproducer handy? >> See https://github.com/netty/netty/pull/12213#issuecomment-1077796917 >> <https://urldefense.com/v3/__https://github.com/netty/netty/pull/12213*issuecomment-1077796917__;Iw!!ACWV5N9M2RV99hQ!fZx3LxRdafSPcHg6-4XPFumXYR6gTlOaQfC14ixjjjwlZK7IbHD4voW9gxXeHFbPRTToQg$> >> Brad >> On 3/23/2022 9:54 AM, Chris Vest wrote: >> > Hi, >> > >> > In Netty we've been trying to design some safer APIs, and >> attempted to >> > make more use of read-only ByteBuffers. >> > >> > We discovered that SSLEngine.unwrap does not like read-only input >> > buffers, even though the input buffers should in theory only be read >> > from. We obviously make sure that the output buffers are writable. >> > >> > By my reading of the javadoc, and the code, I believe this was >> intended >> > to work - or at least not intended to not work - but probably wasn't >> > tested directly. >> > >> > When we try we get this stack trace on adopt-openjdk-11.0.7: >> > >> > javax.net.ssl.SSLProtocolException: null >> > at >> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:129) >> > at >> > >> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326) >> > at >> > >> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269) >> > at >> > >> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264) >> > at >> java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:118) >> > at >> > >> java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:668) >> > at >> > >> java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:623) >> > at >> > >> java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:441) >> > at >> > >> java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:420) >> > at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:674) >> > at >> io.netty5.handler.ssl.EngineWrapper.unwrap(EngineWrapper.java:100) >> > at io.netty5.handler.ssl.SslHandler.unwrap(SslHandler.java:1227) >> > at >> > >> io.netty5.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1105) >> > at io.netty5.handler.ssl.SslHandler.decode(SslHandler.java:1165) >> > at >> > >> io.netty5.handler.codec.ByteToMessageDecoderForBuffer.decodeRemovalReentryProtection(ByteToMessageDecoderForBuffer.java:384) >> > at >> > >> io.netty5.handler.codec.ByteToMessageDecoderForBuffer.callDecode(ByteToMessageDecoderForBuffer.java:327) >> > ... 20 common frames omitted >> > Caused by: java.nio.ReadOnlyBufferException: null >> > at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2493) >> > at >> > >> java.base/sun.security.ssl.SSLCipher$T12GcmReadCipherGenerator$GcmReadCipher.decrypt(SSLCipher.java:1629) >> > at >> > >> java.base/sun.security.ssl.SSLEngineInputRecord.decodeInputRecord(SSLEngineInputRecord.java:240) >> > at >> > >> java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:197) >> > at >> > >> java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:160) >> > at >> java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108) >> > ... 31 common frames omitted >> > >> > >> > I also tried this on a panama-preview snapshot JDK I have, and got a >> > similar stack trace: >> > >> > % java -version >> > openjdk version "19-internal" 2022-09-20 >> > OpenJDK Runtime Environment (fastdebug build >> > 19-internal-adhoc.chris.panama-foreign) >> > OpenJDK 64-Bit Server VM (fastdebug build >> > 19-internal-adhoc.chris.panama-foreign, mixed mode) >> > >> > >> > % git show >> > commit 144af9f43cd2d6f88b675b8c85e4034e5b9d6695 (HEAD -> >> > foreign-preview, origin/foreign-preview) >> > >> > >> > javax.net.ssl.SSLProtocolException: null >> > at >> java.base/sun.security.ssl.Alert.createSSLException(Alert.java:129) >> > at >> > >> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:371) >> > at >> > >> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314) >> > at >> > >> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309) >> > at >> java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:121) >> > at >> > >> java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:736) >> > at >> > >> java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:691) >> > at >> > >> java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506) >> > at >> > >> java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482) >> > at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:719) >> > at >> io.netty5.handler.ssl.EngineWrapper.unwrap(EngineWrapper.java:100) >> > at io.netty5.handler.ssl.SslHandler.unwrap(SslHandler.java:1227) >> > at >> > >> io.netty5.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1105) >> > at io.netty5.handler.ssl.SslHandler.decode(SslHandler.java:1165) >> > at >> > >> io.netty5.handler.codec.ByteToMessageDecoderForBuffer.decodeRemovalReentryProtection(ByteToMessageDecoderForBuffer.java:384) >> > at >> > >> io.netty5.handler.codec.ByteToMessageDecoderForBuffer.callDecode(ByteToMessageDecoderForBuffer.java:327) >> > ... 20 common frames omitted >> > Caused by: java.nio.ReadOnlyBufferException: null >> > at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2497) >> > at >> > >> java.base/sun.security.ssl.SSLCipher$T13GcmReadCipherGenerator$GcmReadCipher.decrypt(SSLCipher.java:1933) >> > at >> > >> java.base/sun.security.ssl.SSLEngineInputRecord.decodeInputRecord(SSLEngineInputRecord.java:239) >> > at >> > >> java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:196) >> > at >> > >> java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:159) >> > at >> java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111) >> > ... 31 common frames omitted >> > >> > >> > We can work around this in Netty since we need to support JDK >> versions >> > that has this issue anyway, but I think it's a bug that should be >> fixed >> > at some point. >> > >> > Thanks, >> > Chris >> >
