RFR: 8350830: Values converted incorrectly when reading TLS session tickets [v2]

Nibedita Jena duke at openjdk.org
Wed Apr 9 12:57:06 UTC 2025 

> Session resumption without server side state was added under [JDK-8211018](https://bugs.openjdk.org/browse/JDK-8211018).
> While it is TLSv1.2 session resumption, the client hello message is being parsed in SSLSessionImpl for each extensions.
> 
> Customer has reported handshake failure and is reproducible locally with exception NegativeArraySizeExceptions when there is ServerNameIndication with size > 127.
> According to RFC 3546, the host_name limit allowed is 255.
> With a sample testcase when the host_name length is > 127, exception is thrown:
> javax.net.ssl|DEBUG|71|Thread-1|2025-04-06 17:13:07.278 UTC|ClientHello.java:825|Negotiated protocol version: TLSv1.2
> javax.net.ssl|WARNING|71|Thread-1|2025-04-06 17:13:07.281 UTC|SSLSocketImpl.java:1672|handling exception (
> "throwable" : {
>   java.lang.NegativeArraySizeException: -1
>         at java.base/sun.security.ssl.SSLSessionImpl.<init>(SSLSessionImpl.java:399)
>         at java.base/sun.security.ssl.SessionTicketExtension$T12CHSessionTicketConsumer.consume(SessionTicketExtension.java:468)
> 
> e.g.
> int l = buf.get();
> b = new byte[l];  <-------------------- NegativeArraySizeException thrown here when > 127
> 
> For TLSv1.3, its not an issue until length > 255.
> 
> According to RFC 5077, PSK identity length allowed is <0..2^16-1> and so its value conversion being taken care of under this change.
> Master secret is allowed for 48 bytes - master_secret[48], shouldnt be an issue.

Nibedita Jena has updated the pull request incrementally with one additional commit since the last revision:

  Minor change

-------------

Changes:
  - all: https://git.openjdk.org/jdk/pull/24535/files
  - new: https://git.openjdk.org/jdk/pull/24535/files/81ea059c..46d4a6e0

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk&pr=24535&range=01
 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=24535&range=00-01

  Stats: 4 lines in 1 file changed: 0 ins; 0 del; 4 mod
  Patch: https://git.openjdk.org/jdk/pull/24535.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/24535/head:pull/24535

PR: https://git.openjdk.org/jdk/pull/24535

More information about the security-dev mailing list