--- a/jdk/src/share/classes/sun/security/ssl/SSLEngineImpl.java Wed Sep 21 15:37:52 2011 -0700
+++ b/jdk/src/share/classes/sun/security/ssl/SSLEngineImpl.java Thu Sep 29 17:31:30 2011 -0700
@@ -312,6 +312,11 @@
Object writeLock;
/*
+ * Is it the first application record to write?
+ */
+ private boolean isFirstAppOutputRecord = true;
+
+ /*
* Class and subclass dynamic debugging support
*/
private static final Debug debug = Debug.getInstance("ssl");
@@ -617,6 +622,9 @@
// See comment above.
oldCipher.dispose();
+
+ // reset the flag of the first application record
+ isFirstAppOutputRecord = true;
}
/*
@@ -1295,10 +1303,36 @@
}
}
+ /*
+ * turn off the flag of the first application record if we really
+ * consumed at least byte.
+ */
+ if (isFirstAppOutputRecord && ea.deltaApp() > 0) {
+ isFirstAppOutputRecord = false;
+ }
+
return hsStatus;
}
/*
+ * Need to split the payload except the following cases:
+ *
+ * 1. protocol version is TLS 1.1 or later;
+ * 2. bulk cipher does not use CBC mode, including null bulk cipher suites.
+ * 3. the payload is the first application record of a freshly
+ * negotiated TLS session.
+ * 4. the CBC protection is disabled;
+ *
+ * More details, please refer to
+ * EngineOutputRecord.write(EngineArgs, MAC, CipherBox).
+ */
+ boolean needToSplitPayload(CipherBox cipher, ProtocolVersion protocol) {
+ return (protocol.v <= ProtocolVersion.TLS10.v) &&
+ cipher.isCBCMode() && !isFirstAppOutputRecord &&
+ Record.enableCBCProtection;
+ }
+
+ /*
* Non-application OutputRecords go through here.
*/
void writeRecord(EngineOutputRecord eor) throws IOException {