Skip to content

Commit b84eb05

Browse files
committed
8368514: TLS stateless session ticket decryption fails on some providers
Backport-of: 3c9fd7688f4d73067db9b128c329ca7603a60578
1 parent 2dd96cd commit b84eb05

10 files changed

Lines changed: 32 additions & 20 deletions

File tree

src/java.base/share/classes/sun/security/ssl/SessionTicketExtension.java

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -278,8 +278,10 @@ ByteBuffer decrypt(HandshakeContext hc) {
278278
aad.putInt(keyID).put(compressed);
279279
c.updateAAD(aad);
280280

281+
// use getOutputSize to avoid a ShortBufferException
282+
// from providers that require oversized buffers. See JDK-8368514.
281283
ByteBuffer out = ByteBuffer.allocate(
282-
data.remaining() - GCM_TAG_LEN / 8);
284+
c.getOutputSize(data.remaining()));
283285
c.doFinal(data, out);
284286
out.flip();
285287

@@ -291,7 +293,7 @@ ByteBuffer decrypt(HandshakeContext hc) {
291293
return out;
292294
} catch (Exception e) {
293295
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
294-
SSLLogger.fine("Decryption failed." + e.getMessage());
296+
SSLLogger.fine("Decryption failed." + e);
295297
}
296298
}
297299

test/jdk/sun/security/pkcs11/tls/tls12/FipsModeTLS12.java renamed to test/jdk/sun/security/pkcs11/tls/fips/FipsModeTLS.java

Lines changed: 28 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -24,16 +24,18 @@
2424

2525
/*
2626
* @test
27-
* @bug 8029661 8325164 8368073
27+
* @bug 8029661 8325164 8368073 8368514
2828
* @summary Test TLS 1.2 and TLS 1.3
2929
* @modules java.base/sun.security.internal.spec
3030
* java.base/sun.security.util
3131
* java.base/com.sun.crypto.provider
3232
* @library /test/lib ../..
3333
* @run main/othervm/timeout=120 -Djdk.tls.client.protocols=TLSv1.2
34-
* -Djdk.tls.useExtendedMasterSecret=false FipsModeTLS12
35-
* @comment SunPKCS11 does not support (TLS1.2) SunTlsExtendedMasterSecret yet
36-
* @run main/othervm/timeout=120 -Djdk.tls.client.protocols=TLSv1.3 FipsModeTLS12
34+
* -Djdk.tls.useExtendedMasterSecret=false
35+
* -Djdk.tls.client.enableSessionTicketExtension=false FipsModeTLS
36+
* @comment SunPKCS11 does not support (TLS1.2) SunTlsExtendedMasterSecret yet.
37+
* Stateless resumption doesn't currently work with NSS-FIPS, see JDK-8368669
38+
* @run main/othervm/timeout=120 -Djdk.tls.client.protocols=TLSv1.3 FipsModeTLS
3739
*/
3840

3941
import java.io.File;
@@ -74,7 +76,7 @@
7476
import sun.security.internal.spec.TlsPrfParameterSpec;
7577
import sun.security.internal.spec.TlsRsaPremasterSecretParameterSpec;
7678

77-
public final class FipsModeTLS12 extends SecmodTest {
79+
public final class FipsModeTLS extends SecmodTest {
7880

7981
private static final boolean enableDebug = true;
8082

@@ -101,8 +103,9 @@ public static void main(String[] args) throws Exception {
101103
// Test against JCE
102104
testTlsAuthenticationCodeGeneration();
103105

104-
// Self-integrity test (complete TLS 1.2 communication)
105-
new testTLS12SunPKCS11Communication().run();
106+
// Self-integrity test (complete TLS communication)
107+
testTLSSunPKCS11Communication.initSslContext();
108+
testTLSSunPKCS11Communication.run();
106109

107110
System.out.println("Test PASS - OK");
108111
} else {
@@ -269,15 +272,18 @@ private static void testTlsAuthenticationCodeGeneration()
269272
}
270273
}
271274

272-
private static class testTLS12SunPKCS11Communication {
275+
private static class testTLSSunPKCS11Communication {
273276
public static void run() throws Exception {
274277
SSLEngine[][] enginesToTest = getSSLEnginesToTest();
275-
278+
boolean firstSession = true;
276279
for (SSLEngine[] engineToTest : enginesToTest) {
277280

278281
SSLEngine clientSSLEngine = engineToTest[0];
279282
SSLEngine serverSSLEngine = engineToTest[1];
280-
283+
// The first connection needs to do a full handshake.
284+
// Verify that subsequent handshakes use resumption.
285+
clientSSLEngine.setEnableSessionCreation(firstSession);
286+
firstSession = false;
281287
// SSLEngine code based on RedhandshakeFinished.java
282288

283289
boolean dataDone = false;
@@ -400,14 +406,6 @@ private static SSLEngine[][] getSSLEnginesToTest() throws Exception {
400406
static private SSLEngine createSSLEngine(boolean client)
401407
throws Exception {
402408
SSLEngine ssle;
403-
KeyManagerFactory kmf = KeyManagerFactory.getInstance("PKIX", "SunJSSE");
404-
kmf.init(ks, passphrase);
405-
406-
TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX", "SunJSSE");
407-
tmf.init(ts);
408-
409-
SSLContext sslCtx = SSLContext.getInstance("TLS", "SunJSSE");
410-
sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
411409
ssle = sslCtx.createSSLEngine("localhost", 443);
412410
ssle.setUseClientMode(client);
413411
SSLParameters sslParameters = ssle.getSSLParameters();
@@ -431,6 +429,18 @@ static private SSLEngine createSSLEngine(boolean client)
431429

432430
return ssle;
433431
}
432+
433+
private static SSLContext sslCtx;
434+
private static void initSslContext() throws Exception {
435+
KeyManagerFactory kmf = KeyManagerFactory.getInstance("PKIX", "SunJSSE");
436+
kmf.init(ks, passphrase);
437+
438+
TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX", "SunJSSE");
439+
tmf.init(ts);
440+
441+
sslCtx = SSLContext.getInstance("TLS", "SunJSSE");
442+
sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
443+
}
434444
}
435445

436446
private static void initialize() throws Exception {
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.

0 commit comments

Comments
 (0)