RFR 8206929: Check session context for TLS session resumption
Xuelei Fan
xuelei.fan at oracle.com
Fri Jul 13 15:34:02 UTC 2018
PreSharedKeyExtension.java
--------------------------
The local supported signature algorithms are checked in the canRejoin()
method. Should the peer supported signature algorithms be checked as well?
Thanks,
Xuelei
On 7/13/2018 8:08 AM, Adam Petcher wrote:
> Here's a new Webrev that includes this change:
> http://cr.openjdk.java.net/~apetcher/8206929/webrev.01/
>
>
> On 7/12/2018 1:02 PM, Xuelei Fan wrote:
>> Set it in PostHandshakeContext should be fine as the session should
>> have been negotiated.
>>
>> Thanks,
>> Xuelei
>>
>> On 7/12/2018 9:57 AM, Adam Petcher wrote:
>>> This value needs to be set when we create a PostHandshakeContext from
>>> a TransportContext. This only happens after the handshake is
>>> complete, so we should always have a session (right?).
>>>
>>> It may be better to set localSupportedSignAlgs in the constructor of
>>> PostHandshakeContext instead of where it is now. Would that address
>>> your concern?
>>>
>>>
>>> On 7/12/2018 12:45 PM, Xuelei Fan wrote:
>>>> A quick question about the update in HandshakeContext.java.
>>>>
>>>> + this.localSupportedSignAlgs = new ArrayList<SignatureScheme>(
>>>> + conContext.conSession.getLocalSupportedSignatureSchemes());
>>>>
>>>> Why set the value here? The 'null' value of localSupportedSignAlgs
>>>> has a special meaning that it has not been set. A few places depend
>>>> on this special value. The above update may set it to empty if the
>>>> session has not been established, and then prevent the proper
>>>> setting of the value of it later.
>>>>
>>>> Xuelei
>>>>
>>>> On 7/12/2018 8:50 AM, Adam Petcher wrote:
>>>>> This change adds some checks for session resumption in TLS 1.3 to
>>>>> ensure that the resumed session is compatible with what is
>>>>> requested. Specifically, I'm adding checks for protocol version,
>>>>> cipher suite, client authentication, and signature schemes. There
>>>>> are also some minor whitespace formatting changes in
>>>>> PreSharedKeyExtension.java.
>>>>>
>>>>> This is a JDK 11 change, so please review soon.
>>>>>
>>>>> Webrev: http://cr.openjdk.java.net/~apetcher/8206929/webrev.00/
>>>>> JBS: https://bugs.openjdk.java.net/browse/JDK-8206929
>>>>>
>>>
>
More information about the security-dev
mailing list