Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8193783

Late calls to server setNeedClientAuth not updating HandshakeHash pool

    Details

    • Type: Bug
    • Status: Open
    • Priority: P2
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: security-libs
    • Labels:
      None

      Description

      This is a followup to JDK-8193683.

      There is a bug currently in the way ServerHandshakers creates HandshakeHashes. If we do the following valid API pattern:

          SSLServerSocket sslServerSocket =
              (SSLServerSocket) sslssf.createServerSocket(serverPort);
          SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();

          // This is *AFTER* a SSLSocketImpl was created!!!
          sslSocket.setNeedClientAuth(true);

          InputStream sslIS = sslSocket.getInputStream();
          sslIS.read();

      The SSLSocketImpl is initialized with no clientauth required, which creates a ServerHandshaker with no auth, which creates a HandshakeHash(false), which only creates 3 clones. Now return to the app's setNeedClientAuth call, which updates the ServerHandshaker to require the client auth, but it doesn't update HandshakeHash to now require 4 digests.

      Actually, this bug could be updated to better calculate the exact number of HandshakeHash clones that are needed.

       102 /**
       103 * Create a new HandshakeHash.
       104 * The number of necessary digest clones is calculated in Handshaker
       105 */
       106 HandshakeHash(int numDigests) {
       107 clonesNeeded = numDigests;
       108 }

       228 try {
       229 finMD = CloneableDigest.getDigest(normalizeAlgName(s), 4);
       230 } catch (NoSuchAlgorithmException e) {
       231 throw new Error(e);
       232 }

      and in Handshaker.java

       555 // We accumulate digests of the handshake messages so that
       556 // we can read/write CertificateVerify and Finished messages,
       557 // getting assurance against some particular active attacks.
       558 int numDigests = 2;
       559 if (needCertVerify) {
       560 numDigests++;
       561 }
       562 if (useExtendedMasterSecret) {
       563 numDigests++;
       564 }
       565 handshakeHash = new HandshakeHash(numDigests);

      Note that this code also needs a way to update the HandshakeHash if clientAuth is turned on after the Handshaker has been created.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                wetmore Bradford Wetmore
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: