Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix lock during SslStream renegotiation request #56470

Merged
merged 4 commits into from
Aug 5, 2021
Merged

Fix lock during SslStream renegotiation request #56470

merged 4 commits into from
Aug 5, 2021

Conversation

aik-jahoda
Copy link
Contributor

When server request renegotiation on client stream with pending data, the server trow exception as expected but lock is not released.

This PR fix this behaviour and extend related test to cover this case.

Close #56345

@aik-jahoda aik-jahoda requested a review from wfurt July 28, 2021 13:55
@ghost
Copy link

ghost commented Jul 28, 2021

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

When server request renegotiation on client stream with pending data, the server trow exception as expected but lock is not released.

This PR fix this behaviour and extend related test to cover this case.

Close #56345

Author: aik-jahoda
Assignees: -
Labels:

area-System.Net.Security
Milestone: -

@aik-jahoda aik-jahoda requested a review from a team July 28, 2021 13:55
stephentoub
stephentoub reviewed Jul 28, 2021
View reviewed changes
src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Implementation.cs Outdated
@@ -252,6 +252,11 @@ private async Task ReplyOnReAuthenticationAsync<TIOAdapter>(TIOAdapter adapter,
private async Task RenegotiateAsync<TIOAdapter>(TIOAdapter adapter)
where TIOAdapter : IReadWriteAdapter
{
if (_decryptedBytesCount is not 0)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we allowed to read _decryptedBytesCount when we don't hold the locks?

Rather than moving this earlier, should it instead be moved down into the try?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Putting it down would be safer. We try to prevent people from using this concurrently with IO so it should not be valid case but since it is easy I think it is ok to do little bit more work e.g. do the increments/decrements.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

moved to the try block

aik-jahoda
aik-jahoda commented Jul 29, 2021
View reviewed changes
src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Implementation.cs Outdated
@@ -323,7 +324,7 @@ private async Task RenegotiateAsync<TIOAdapter>(TIOAdapter adapter)
_nestedRead = 0;
_nestedWrite = 0;
_isRenego = false;
// We will not release _nestedAuth at this point to prevent another renegotiation attempt.
_nestedAuth = 0;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The renegotiation should be done we don't need postpone clear this lock

@karelz karelz mentioned this pull request Jul 29, 2021
Closed
wfurt
wfurt reviewed Aug 3, 2021
View reviewed changes
src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Implementation.cs Outdated
}
if (_decryptedBytesCount is not 0)
{
_nestedAuth = 0;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should clear it here. This was purposely left set in the finally so the RenegotiateAsync can be called at most once.

#49346 (comment)

I think especially if we throw the rest would be unpredictable IMHO.

Also if we throw for _nestedRead or _nestedWrite this would still be set. I think that is ok as the intention is not to allow multiple calls but it would be inconsistent.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right, I was tempted by wrong change in test.

wfurt
wfurt approved these changes Aug 3, 2021
View reviewed changes
Copy link
Member

@wfurt wfurt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@aik-jahoda
Copy link
Contributor Author

iOSSimulator and tvOSSimulator tests are hanging, however this change is not for those platforms. Merging.

@aik-jahoda aik-jahoda merged commit 81b6502 into dotnet:main Aug 5, 2021
@aik-jahoda aik-jahoda deleted the jajahoda/renegolock branch August 5, 2021 08:54
@jaredpar jaredpar mentioned this pull request Aug 17, 2021
Open
@karelz karelz added this to the 6.0.0 milestone Aug 17, 2021
@ghost ghost locked as resolved and limited conversation to collaborators Sep 16, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@stephentoub stephentoub stephentoub left review comments

@wfurt wfurt wfurt approved these changes

Assignees
No one assigned
Labels
area-System.Net.Security
Projects
None yet
Milestone
6.0.0
Development

Successfully merging this pull request may close these issues.

[Regression] NegotiateClientCertificateAsync exceptions do not clear the read or write locks
4 participants
@aik-jahoda @stephentoub @wfurt @karelz