JSSE: calling SSLSocket.close() should interrupt threads blocked in select()/poll()

Author: cconlon

native/com_wolfssl_WolfSSLSession.c

@@ -102,20 +102,75 @@ public class WolfSSLSession {
     /**
      * Creates a new SSL/TLS session.
      *
+     * Native session created also creates JNI SSLAppData for usage
+     * internal to wolfSSL JNI. This constructor creates a default
+     * pipe() to use for interrupting threads waiting in select()/poll()
+     * when close() is called. To skip creation of this pipe() use
+     * the WolfSSLSession(WolfSSLContext ctx, boolean setupIOPipe)
+     * constructor with 'setupIOPipe' set to false.
+     *
      * @param  ctx   WolfSSLContext object used to create SSL session.
      *
      * @throws com.wolfssl.WolfSSLException if session object creation
      *                                      failed.
      */
     public WolfSSLSession(WolfSSLContext ctx) throws WolfSSLException {
 
-        sslPtr = newSSL(ctx.getContextPtr());
+        sslPtr = newSSL(ctx.getContextPtr(), true);
         if (sslPtr == 0) {
             throw new WolfSSLException("Failed to create SSL Object");
         }
 
         WolfSSLDebug.log(getClass(), WolfSSLDebug.Component.JNI,
-            WolfSSLDebug.INFO, sslPtr, "creating new WolfSSLSession");
+            WolfSSLDebug.INFO, sslPtr,
+            "creating new WolfSSLSession (with I/O pipe)");
+
+        synchronized (stateLock) {
+            this.active = true;
+        }
+
+        /* save context reference for I/O callbacks from JNI */
+        this.ctx = ctx;
+    }
+
+    /**
+     * Creates a new SSL/TLS session.
+     *
+     * Native session created also creates JNI SSLAppData for usage
+     * internal to wolfSSL JNI. A pipe() can be created internally to wolfSSL
+     * JNI to use for interrupting threads waiting in select()/poll()
+     * when close() is called. To skip creation of this pipe(), set
+     * 'setupIOPipe' to false.
+     *
+     * It is generally recommended to have wolfSSL JNI create the native
+     * pipe(), unless you will be operating over non-Socket I/O. For example,
+     * when this WolfSSLSession is being created from the JSSE level
+     * SSLEngine class.
+     *
+     * @param ctx         WolfSSLContext object used to create SSL session.
+     * @param setupIOPipe true to create internal IO pipe(), otherwise
+     *        false
+     *
+     * @throws com.wolfssl.WolfSSLException if session object creation
+     *                                      failed.
+     */
+    public WolfSSLSession(WolfSSLContext ctx, boolean setupIOPipe)
+        throws WolfSSLException {
+
+        sslPtr = newSSL(ctx.getContextPtr(), false);
+        if (sslPtr == 0) {
+            throw new WolfSSLException("Failed to create SSL Object");
+        }
+
+        if (setupIOPipe) {
+            WolfSSLDebug.log(getClass(), WolfSSLDebug.Component.JNI,
+                WolfSSLDebug.INFO, sslPtr,
+                "creating new WolfSSLSession (with I/O pipe)");
+        } else {
+            WolfSSLDebug.log(getClass(), WolfSSLDebug.Component.JNI,
+                WolfSSLDebug.INFO, sslPtr,
+                "creating new WolfSSLSession (without I/O pipe)");
+        }
 
         synchronized (stateLock) {
             this.active = true;
@@ -240,7 +295,7 @@ private synchronized void confirmObjectIsActive()
 
     /* ------------------ native method declarations -------------------- */
 
-    private native long newSSL(long ctx);
+    private native long newSSL(long ctx, boolean withIOPipe);
     private native int setFd(long ssl, Socket sd, int type);
     private native int setFd(long ssl, DatagramSocket sd, int type);
     private native int useCertificateFile(long ssl, String file, int format);
@@ -357,6 +412,8 @@ private native int setTlsHmacInner(long ssl, byte[] inner, long sz,
     private native int set1SigAlgsList(long ssl, String list);
     private native int useSupportedCurve(long ssl, int name);
     private native int hasTicket(long session);
+    private native int interruptBlockedIO(long ssl);
+    private native int getThreadsBlockedInPoll(long ssl);
 
     /* ------------------- session-specific methods --------------------- */
 
@@ -4125,6 +4182,49 @@ public synchronized void setIOSend(WolfSSLIOSendCallback callback)
         }
     }
 
+    /**
+     * Interrupt native I/O operations blocked inside select()/poll().
+     *
+     * This is used by wolfJSSE when SSLSocket.close() is called, to wake up
+     * threads that are blocked in select()/poll().
+     *
+     * @return WolfSSL.SSL_SUCCESS on success, negative on error.
+     *
+     * @throws IllegalStateException WolfSSLSession has been freed
+     */
+    public synchronized int interruptBlockedIO()
+        throws IllegalStateException {
+
+        confirmObjectIsActive();
+
+        /* Not synchronizing on sslLock, since we want to interrupt threads
+         * blocked on I/O operations, which will already hold sslLock */
+
+        WolfSSLDebug.log(getClass(), WolfSSLDebug.Component.JNI,
+            WolfSSLDebug.INFO, "entered interruptBlockedIO()");
+
+        return interruptBlockedIO(this.sslPtr);
+    }
+
+    /**
+     * Get count of threads currently blocked in select() or poll()
+     * at the native JNI level.
+     *
+     * @return count of threads waiting in select() or poll()
+     *
+     * @throws IllegalStateException WolfSSLSession has been freed
+     */
+    public synchronized int getThreadsBlockedInPoll()
+        throws IllegalStateException {
+
+        confirmObjectIsActive();
+
+        WolfSSLDebug.log(getClass(), WolfSSLDebug.Component.JNI,
+            WolfSSLDebug.INFO, "entered getThreadsBlockedInPoll()");
+
+        return getThreadsBlockedInPoll(this.sslPtr);
+    }
+
     /**
      * Use SNI name with this session.
      *

native/com_wolfssl_WolfSSLSession.h

@@ -313,7 +313,7 @@ private void initSSL() throws WolfSSLException, WolfSSLJNIException {
         }
 
         /* will throw WolfSSLException if issue creating WOLFSSL */
-        ssl = new WolfSSLSession(ctx);
+        ssl = new WolfSSLSession(ctx, false);
 
         enableExtraDebug();
         enableIODebug();

src/java/com/wolfssl/WolfSSLSession.java

@@ -2011,6 +2011,10 @@ public synchronized void close() throws IOException {
                     handshakeFinished = this.handshakeComplete;
                 }
 
+                WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                    "signaling any blocked I/O threads to wake up");
+                ssl.interruptBlockedIO();
+
                 /* Try TLS shutdown procedure, only if handshake has finished */
                 if (ssl != null && handshakeFinished) {
                     WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
@@ -2036,12 +2040,15 @@ public synchronized void close() throws IOException {
                         }
 
                         try {
+                            /* Use SO_LINGER value when calling
+                             * shutdown here, since we are closing the
+                             * socket */
                             if (this.socket != null) {
                                 ret = ssl.shutdownSSL(
-                                    this.socket.getSoTimeout());
+                                    this.socket.getSoLinger());
                             } else {
                                 ret = ssl.shutdownSSL(
-                                    super.getSoTimeout());
+                                    super.getSoLinger());
                             }
 
                             WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
@@ -2065,9 +2072,7 @@ public synchronized void close() throws IOException {
                             /* Release native verify callback (JNI global) */
                             this.EngineHelper.unsetVerifyCallback();
 
-                            /* Connection is closed, free native WOLFSSL session
-                             * to release native memory earlier than garbage
-                             * collector might with finalize(). */
+                            /* Close ConsumedRecvCtx data stream */
                             Object readCtx = this.ssl.getIOReadCtx();
                             if (readCtx != null &&
                                 readCtx instanceof ConsumedRecvCtx) {
@@ -2076,14 +2081,6 @@ public synchronized void close() throws IOException {
                                   "calling ConsumedRecvCtx.closeDataStreams()");
                                 rctx.closeDataStreams();
                             }
-                            WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
-                                "calling this.ssl.freeSSL()");
-                            this.ssl.freeSSL();
-                            this.ssl = null;
-
-                            /* Reset internal WolfSSLEngineHelper to null */
-                            this.EngineHelper.clearObjectState();
-                            this.EngineHelper = null;
 
                             WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
                                 "thread exiting handshakeLock (shutdown)");
@@ -2112,6 +2109,33 @@ public synchronized void close() throws IOException {
                         this.outStream = null;
                     }
                 }
+
+                /* Free this.ssl here instead of above for use cases
+                 * where a SSLSocket is created then closed()'d before
+                 * connected or handshake is done. freeSSL() will
+                 * release interruptFds[] pipe() and free up descriptor. */
+                synchronized (ioLock) {
+                    WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                        "thread got ioLock (freeSSL)");
+
+                    /* Connection is closed, free native WOLFSSL session
+                     * to release native memory earlier than garbage
+                     * collector might with finalize(), if we don't
+                     * have any threads still waiting in poll/select. */
+                    if (this.ssl.getThreadsBlockedInPoll() == 0) {
+                        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                            "calling this.ssl.freeSSL()");
+                        this.ssl.freeSSL();
+                        this.ssl = null;
+                    }
+
+                    /* Reset internal WolfSSLEngineHelper to null */
+                    this.EngineHelper.clearObjectState();
+                    this.EngineHelper = null;
+
+                    WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                        "thread exiting ioLock (shutdown)");
+                } /* ioLock */
             }
 
             if (this.autoClose) {
@@ -2687,7 +2711,11 @@ public synchronized int read(byte[] b, int off, int len)
                 throw e;
 
             } catch (IllegalStateException e) {
-                throw new IOException(e);
+                /* SSLSocket.close() may have already called freeSSL(),
+                 * thus causing a 'WolfSSLSession object has been freed'
+                 * IllegalStateException to be thrown from
+                 * WolfSSLSession.read(). Return as a SocketException here. */
+                throw new SocketException(e.getMessage());
             }
 
             /* return number of bytes read */