473832 SslConnection flips back buffers on handshake exception
diff --git a/jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslConnection.java b/jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslConnection.java
index 84e523d..ca32841 100644
--- a/jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslConnection.java
+++ b/jetty-io/src/main/java/org/eclipse/jetty/io/ssl/SslConnection.java
@@ -503,8 +503,15 @@
// Let's unwrap even if we have no net data because in that
// case we want to fall through to the handshake handling
int pos = BufferUtil.flipToFill(app_in);
- SSLEngineResult unwrapResult = _sslEngine.unwrap(_encryptedInput, app_in);
- BufferUtil.flipToFlush(app_in, pos);
+ SSLEngineResult unwrapResult;
+ try
+ {
+ unwrapResult = _sslEngine.unwrap(_encryptedInput, app_in);
+ }
+ finally
+ {
+ BufferUtil.flipToFlush(app_in, pos);
+ }
if (DEBUG)
{
LOG.debug("{} net={} unwrap {}", SslConnection.this, net_filled, unwrapResult.toString().replace('\n',' '));
@@ -728,10 +735,18 @@
// We call sslEngine.wrap to try to take bytes from appOut buffers and encrypt them into the _netOut buffer
BufferUtil.compact(_encryptedOutput);
int pos = BufferUtil.flipToFill(_encryptedOutput);
- SSLEngineResult wrapResult = _sslEngine.wrap(appOuts, _encryptedOutput);
+ SSLEngineResult wrapResult;
+ try
+ {
+ wrapResult = _sslEngine.wrap(appOuts, _encryptedOutput);
+ }
+ finally
+ {
+ BufferUtil.flipToFlush(_encryptedOutput, pos);
+ }
if (DEBUG)
LOG.debug("{} wrap {}", SslConnection.this, wrapResult.toString().replace('\n',' '));
- BufferUtil.flipToFlush(_encryptedOutput, pos);
+
Status wrapResultStatus = wrapResult.getStatus();
boolean allConsumed=true;
diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslConnectionFactoryTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslConnectionFactoryTest.java
index e3ac918..9d7e859 100644
--- a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslConnectionFactoryTest.java
+++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslConnectionFactoryTest.java
@@ -21,6 +21,7 @@
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
+import java.io.OutputStream;
import java.net.Socket;
import java.nio.charset.StandardCharsets;
import java.security.cert.X509Certificate;
@@ -142,6 +143,19 @@
Assert.assertThat(response,Matchers.containsString("url=/ctx/path"));
return response;
}
+
+ @Test
+ public void testBadHandshake() throws Exception
+ {
+ try(Socket socket=new Socket("127.0.0.1", _port); OutputStream out = socket.getOutputStream())
+ {
+ out.write("Rubbish".getBytes());
+ out.flush();
+
+ Assert.assertThat(socket.getInputStream().read(),Matchers.equalTo(-1));
+ }
+
+ }
private String getResponse(String sniHost,String reqHost, String cn) throws Exception
{
