[External] : Re: Bug with TLSv1.3 session resumption (most likely caused by concurrency bug)
Jamil Nimeh
jamil.j.nimeh at oracle.com
Fri Mar 19 15:34:46 UTC 2021
Hi Norman, I've been working a couple other bugs, but I should have some
time to devote to it next week.
--Jamil
On 3/19/2021 6:15 AM, Norman Maurer wrote:
> I was wondering if there is any update or anything I can help with ?
>
> Bye
> Norman
>
>> Am 04.03.2021 um 18:51 schrieb Jamil Nimeh <jamil.j.nimeh at oracle.com>:
>>
>>
>>
>> I already replied to Norman directly (because apparently I cannot
>> seem to find my Reply-all button before my morning caffeine!). It
>> does look quite a bit like 8241248 and that issue is in my bug
>> queue. I haven't started work on it yet, but now that Norman has
>> provided me some links to a reproducer I can give it a spin and see
>> if I can make the bug happen locally (Thanks Norman!)
>>
>> --Jamil
>>
>> On 3/4/2021 8:22 AM, Xue-Lei Fan wrote:
>>> Forward to security-dev.
>>>
>>> Xuelei
>>>
>>>> On Mar 4, 2021, at 6:11 AM, Norman Maurer
>>>> <norman.maurer at googlemail.com
>>>> <mailto:norman.maurer at googlemail.com>> wrote:
>>>>
>>>> Hi there,
>>>>
>>>> I think I found a bug in the TLSv1.3 session cache implementation
>>>> which sometimes can cause failures during session resumption.
>>>> The cause of this sometimes show up as NPE:
>>>>
>>>> javax.net.ssl.SSLException: Session has no PSK
>>>> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
>>>> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>>>> at
>>>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:336)
>>>> at
>>>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
>>>> at
>>>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:283)
>>>> at
>>>> java.base/sun.security.ssl.PreSharedKeyExtension.checkBinder(PreSharedKeyExtension.java:537)
>>>> at
>>>> java.base/sun.security.ssl.PreSharedKeyExtension$CHPreSharedKeyUpdate.consume(PreSharedKeyExtension.java:528)
>>>> at
>>>> java.base/sun.security.ssl.SSLExtension.consumeOnTrade(SSLExtension.java:583)
>>>> at
>>>> java.base/sun.security.ssl.SSLExtensions.consumeOnTrade(SSLExtensions.java:222)
>>>> at
>>>> java.base/sun.security.ssl.ServerHello$T13ServerHelloProducer.produce(ServerHello.java:539)
>>>> at
>>>> java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436)
>>>> at
>>>> java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1234)
>>>> at
>>>> java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1170)
>>>> at
>>>> java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:852)
>>>> at
>>>> java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:813)
>>>> at
>>>> java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
>>>> at
>>>> java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
>>>> at
>>>> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
>>>> at
>>>> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
>>>> at java.base/java.security.AccessController.doPrivileged(Native Method)
>>>> at
>>>> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
>>>> at
>>>> io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1557)
>>>> at
>>>> io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1571)
>>>> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1455)
>>>> at
>>>> io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1282)
>>>> at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1329)
>>>> at
>>>> io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:508)
>>>> at
>>>> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:447)
>>>> at
>>>> io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
>>>> at
>>>> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
>>>> at
>>>> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
>>>> at
>>>> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
>>>> at
>>>> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
>>>> at
>>>> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
>>>> at
>>>> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
>>>> at
>>>> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
>>>> at
>>>> io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
>>>> at
>>>> io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:719)
>>>> at
>>>> io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655)
>>>> at
>>>> io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581)
>>>> at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
>>>> at
>>>> io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
>>>> at
>>>> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
>>>> at
>>>> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
>>>> at java.base/java.lang.Thread.run(Thread.java:834)
>>>> java.lang.NullPointerException
>>>> at java.base/sun.security.ssl.HKDF.extract(HKDF.java:93)
>>>> at java.base/sun.security.ssl.HKDF.extract(HKDF.java:119)
>>>> at
>>>> java.base/sun.security.ssl.ServerHello.setUpPskKD(ServerHello.java:1169)
>>>> at
>>>> java.base/sun.security.ssl.ServerHello$T13ServerHelloProducer.produce(ServerHello.java:547)
>>>> at
>>>> java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436)
>>>> at
>>>> java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1234)
>>>> at
>>>> java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1170)
>>>> at
>>>> java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:852)
>>>> at
>>>> java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:813)
>>>> at
>>>> java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
>>>> at
>>>> java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
>>>> at
>>>> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
>>>> at
>>>> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
>>>> at java.base/java.security.AccessController.doPrivileged(Native Method)
>>>> at
>>>> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
>>>> at
>>>> io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1557)
>>>> at
>>>> io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1571)
>>>> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1455)
>>>> at
>>>> io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1282)
>>>> at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1329)
>>>> at
>>>> io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:508)
>>>> at
>>>> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:447)
>>>> at
>>>> io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
>>>> at
>>>> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
>>>> at
>>>> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
>>>> at
>>>> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
>>>> at
>>>> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
>>>> at
>>>> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
>>>> at
>>>> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
>>>> at
>>>> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
>>>> at
>>>> io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
>>>> at
>>>> io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:719)
>>>> at
>>>> io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655)
>>>> at
>>>> io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581)
>>>> at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
>>>> at
>>>> io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
>>>> at
>>>> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
>>>> at
>>>> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
>>>> at java.base/java.lang.Thread.run(Thread.java:834)
>>>>
>>>>
>>>> Other times the NPE is not included but it still fails with
>>>> something like:
>>>>
>>>> Caused by: javax.net.ssl.SSLException: Session has no PSK
>>>> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
>>>> at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
>>>> at
>>>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:336)
>>>> at
>>>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
>>>> at
>>>> java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:283)
>>>> at
>>>> java.base/sun.security.ssl.PreSharedKeyExtension.checkBinder(PreSharedKeyExtension.java:537)
>>>> at
>>>> java.base/sun.security.ssl.PreSharedKeyExtension$CHPreSharedKeyUpdate.consume(PreSharedKeyExtension.java:528)
>>>> at
>>>> java.base/sun.security.ssl.SSLExtension.consumeOnTrade(SSLExtension.java:583)
>>>> at
>>>> java.base/sun.security.ssl.SSLExtensions.consumeOnTrade(SSLExtensions.java:222)
>>>> at
>>>> java.base/sun.security.ssl.ServerHello$T13ServerHelloProducer.produce(ServerHello.java:539)
>>>> at
>>>> java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436)
>>>> at
>>>> java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1234)
>>>> at
>>>> java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1170)
>>>> at
>>>> java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:852)
>>>> at
>>>> java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:813)
>>>> at
>>>> java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
>>>> at
>>>> java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
>>>> at
>>>> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
>>>> at
>>>> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
>>>> at java.base/java.security.AccessController.doPrivileged(Native Method)
>>>> at
>>>> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
>>>> at
>>>> io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1557)
>>>> at
>>>> io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1571)
>>>> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1455)
>>>> at
>>>> io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1282)
>>>> at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1329)
>>>> at
>>>> io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:508)
>>>> at
>>>> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:447)
>>>> ... 17 common frames omitted
>>>>
>>>> Looking at the first stacktrace this seems to be related to:
>>>>
>>>> https://bugs.openjdk.java.net/browse/JDK-8241248
>>>> <https://bugs.openjdk.java.net/browse/JDK-8241248>
>>>>
>>>>
>>>> Unfortunately I don’t have a reproducer which uses the JDK only
>>>> here but I can reproduce this with Netty that uses OpenSSL on the
>>>> client side and the JDK SSLEngine on the server side.
>>>> I can reproduce this with the latest JDK11 release but can't with
>>>> JDK15. Also what makes me believe it may be a concurrency bug is
>>>> that only some handshakes fail. Like 70 out of 2600 fail.
>>>>
>>>> While the reproducer also involves netty I am wondering if you
>>>> would still be interested in it ? It should be quite straight
>>>> forward to run locally for you.
>>>>
>>>> The code that can reproduce it is here:
>>>> https://github.com/netty/netty/pull/10994#issuecomment-787976965
>>>> <https://urldefense.com/v3/__https://github.com/netty/netty/pull/10994*issuecomment-787976965__;Iw!!GqivPVa7Brio!MszdHm37EKgxWsuqHbmrEM6R16CYCNv4P7cdniOnnQLn8GlqD7Id0KfLEI9ZlbLT9VU$>
>>>>
>>>> Also you will need to use this branch:
>>>> https://github.com/netty/netty/tree/ssl_cache_revamp
>>>> <https://urldefense.com/v3/__https://github.com/netty/netty/tree/ssl_cache_revamp__;!!GqivPVa7Brio!MszdHm37EKgxWsuqHbmrEM6R16CYCNv4P7cdniOnnQLn8GlqD7Id0KfLEI9ZN3cXhdo$>
>>>>
>>>>
>>>> Please don’t hesitate if you have questions,
>>>> Norman
>>>>
>>>>
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/security-dev/attachments/20210319/cf417bb3/attachment-0001.htm>
More information about the security-dev
mailing list