There is a race condition in the KEX implementation. A simple reproducer can be obtained by modifying SftpTransferTest by inserting the following in method doTestTransferIntegrity() just before the main try-finally:
This forces rekeying every 512kB; the test roundtrips a 10Mb file twice, which gives ample opportunity to run into this race condition. Typically the test fails very quickly and hangs.
The hang is always caused by an async write not being cancelled when the session gets disconnected. The session disconnects during KEX because KEX state is corrupted because of the race condition.
Most of the time the race condition causes a signature verification failure during KEX, but I also got "Disconnecting(ClientSessionImpl[testTransferIntegrity@/127.0.0.1:62186]): SSH2_DISCONNECT_KEY_EXCHANGE_FAILED - Unable to negotiate key exchange for mac algorithms (server to client) (client: null / server: firstname.lastname@example.org,email@example.com,firstname.lastname@example.org,hmac-sha2-256,hmac-sha2-512,hmac-sha1)", which is easier to understand than the signature verification failure.
The precise sequence of events in that case is
There is window between steps 3 and 7 in AbstractSession.requestNewKeyExchange() during which the KEX state is INIT, but the client proposal isn't initialized yet; it's initialized only after sendKexInit() has been done. However, the client already got the server's KEX_INIT message, and in doKexNegotiation() proceeds as if the client proposal was already set up.
So, theres' two problems here:
- KEX fails due to a race condition.
- The client hangs after disconnecting because an async write future is not terminated.