8206929: Check session context for TLS 1.3 session resumption

Additional checks to prevent TLS 1.3 sessions from being resumed when they shouldn't Reviewed-by: xuelei
2025-12-15 05:49:40 +01:00 · 2018-07-17 13:04:40 -04:00
parent 2c82c9e1bd
commit 108461949f
5 changed files with 676 additions and 18 deletions
--- a/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java
+++ b/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java
@@ -96,7 +96,7 @@ final class SSLSessionImpl extends ExtendedSSLSession {
    private boolean             invalidated;
    private X509Certificate[]   localCerts;
    private PrivateKey          localPrivateKey;
-    private final String[]      localSupportedSignAlgs;
+    private final Collection<SignatureScheme>     localSupportedSignAlgs;
    private String[]            peerSupportedSignAlgs;      // for certificate
    private boolean             useDefaultPeerSignAlgs = false;
    private List<byte[]>        statusResponses;
@@ -144,7 +144,7 @@ final class SSLSessionImpl extends ExtendedSSLSession {
        this.sessionId = new SessionId(false, null);
        this.host = null;
        this.port = -1;
-        this.localSupportedSignAlgs = new String[0];
+        this.localSupportedSignAlgs = Collections.emptySet();
        this.serverNameIndication = null;
        this.requestedServerNames = Collections.<SNIServerName>emptyList();
        this.useExtendedMasterSecret = false;
@@ -179,8 +179,9 @@ final class SSLSessionImpl extends ExtendedSSLSession {
        this.sessionId = id;
        this.host = hc.conContext.transport.getPeerHost();
        this.port = hc.conContext.transport.getPeerPort();
-        this.localSupportedSignAlgs =
-                SignatureScheme.getAlgorithmNames(hc.localSupportedSignAlgs);
+        this.localSupportedSignAlgs = hc.localSupportedSignAlgs == null ?
+                Collections.emptySet() :
+                Collections.unmodifiableCollection(hc.localSupportedSignAlgs);
        this.serverNameIndication = hc.negotiatedServerName;
        this.requestedServerNames = Collections.<SNIServerName>unmodifiableList(
                hc.getRequestedServerNames());
@@ -969,16 +970,20 @@ final class SSLSessionImpl extends ExtendedSSLSession {
    }

    /**
-     * Gets an array of supported signature algorithms that the local side is
-     * willing to verify.
+     * Gets an array of supported signature algorithm names that the local
+     * side is willing to verify.
     */
    @Override
    public String[] getLocalSupportedSignatureAlgorithms() {
-        if (localSupportedSignAlgs != null) {
-            return localSupportedSignAlgs.clone();
-        }
+        return SignatureScheme.getAlgorithmNames(localSupportedSignAlgs);
+    }

-        return new String[0];
+    /**
+     * Gets an array of supported signature schemes that the local side is
+     * willing to verify.
+     */
+    public Collection<SignatureScheme> getLocalSupportedSignatureSchemes() {
+        return localSupportedSignAlgs;
    }

    /**