8214688: TLS 1.3 session resumption with hello retry request failed with "illegal_parameter"

Reviewed-by: jnimeh
2018-12-11 11:01:02 -05:00 · 2018-12-11 11:01:02 -05:00 · e922ef3636
commit e922ef3636
parent 3c12c4b0f3
2 changed files with 10 additions and 3 deletions
--- a/src/java.base/share/classes/sun/security/ssl/ClientHandshakeContext.java
+++ b/src/java.base/share/classes/sun/security/ssl/ClientHandshakeContext.java
@ -90,6 +90,9 @@ class ClientHandshakeContext extends HandshakeContext {

    ClientHelloMessage initialClientHelloMsg = null;

+    // PSK identity is selected in first Hello and used again after HRR
+    byte[] pskIdentity;
+
    ClientHandshakeContext(SSLContextImpl sslContext,
            TransportContext conContext) throws IOException {
        super(sslContext, conContext);
--- a/src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java
+++ b/src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java
@ -656,7 +656,11 @@ final class PreSharedKeyExtension {
                return null;
            }
            SecretKey psk = pskOpt.get();
-            Optional<byte[]> pskIdOpt = chc.resumingSession.consumePskIdentity();
+            // The PSK ID can only be used in one connections, but this method
+            // may be called twice in a connection if the server sends HRR.
+            // ID is saved in the context so it can be used in the second call.
+            Optional<byte[]> pskIdOpt = Optional.ofNullable(chc.pskIdentity)
+                .or(chc.resumingSession::consumePskIdentity);
            if (!pskIdOpt.isPresent()) {
                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                    SSLLogger.fine(
@ -664,7 +668,7 @@ final class PreSharedKeyExtension {
                }
                return null;
            }
-            byte[] pskId = pskIdOpt.get();
+            chc.pskIdentity = pskIdOpt.get();

            //The session cannot be used again. Remove it from the cache.
            SSLSessionContextImpl sessionCache = (SSLSessionContextImpl)
@ -681,7 +685,7 @@ final class PreSharedKeyExtension {
                    chc.resumingSession.getTicketCreationTime());
            int obfuscatedAge =
                    ageMillis + chc.resumingSession.getTicketAgeAdd();
-            identities.add(new PskIdentity(pskId, obfuscatedAge));
+            identities.add(new PskIdentity(chc.pskIdentity, obfuscatedAge));

            SecretKey binderKey = deriveBinderKey(psk, chc.resumingSession);
            ClientHelloMessage clientHello = (ClientHelloMessage)message;