RFR: 8298381: Improve handling of session tickets for multiple SSLContexts [v4]

Volker Simonis simonis at openjdk.org
Fri Dec 23 10:40:55 UTC 2022


On Thu, 22 Dec 2022 18:54:16 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:

>> Volker Simonis has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   Moved stateless key logic from SSLContextImpl to SSLSessionContextImpl and addressed comments by @XueleiFan and @ascarpino
>
> src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java line 95:
> 
>> 93:             // Should be "randomly generated" according to RFC 5077,
>> 94:             // but doesn't necessarily has to be a true random number.
>> 95:             currentKeyID = this.hashCode();
> 
> As the hashCode() is called in the constructor, I'm not very sure if it works as expected.   Maybe, the system nano time could be used instead.

I don't think calling `hashCode()` is an issue as long as `SSLSessionContextImpl` doesn't override `hashCode()` (which it doesn't do) and that overridden version of `hashCode()` accesses uninitialized fields. But for the sake of getting this done, I've changed the initialization to use the result `System.nanoTime()` as a seed for a new `java.util.Random` instance and call `nextInt()` on that instance. That seems like a good compromise to me :)

-------------

PR: https://git.openjdk.org/jdk/pull/11590


More information about the security-dev mailing list