8231780: Better TLS messaging support

Reviewed-by: ascarpino, rhalade, mschoene
2025-08-27 06:45:07 +02:00 · 2019-10-28 18:53:51 -07:00 · 2019-10-28 18:53:51 -07:00 · c5f884c6d1
commit c5f884c6d1
parent a0f8febb8b
4 changed files with 83 additions and 2 deletions
--- a/src/java.base/share/classes/sun/security/ssl/CertificateVerify.java
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateVerify.java
@ -287,6 +287,17 @@ final class CertificateVerify {
                ByteBuffer message) throws IOException {
            // The consuming happens in server side only.
            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Clean up this consumer
+            shc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_VERIFY.id);
+
+            // Ensure that the CV message follows the CKE
+            if (shc.handshakeConsumers.containsKey(
+                    SSLHandshake.CLIENT_KEY_EXCHANGE.id)) {
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unexpected CertificateVerify handshake message");
+            }
+
            S30CertificateVerifyMessage cvm =
                    new S30CertificateVerifyMessage(shc, message);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@ -529,6 +540,17 @@ final class CertificateVerify {
                ByteBuffer message) throws IOException {
            // The consuming happens in server side only.
            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Clean up this consumer
+            shc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_VERIFY.id);
+
+            // Ensure that the CV message follows the CKE
+            if (shc.handshakeConsumers.containsKey(
+                    SSLHandshake.CLIENT_KEY_EXCHANGE.id)) {
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unexpected CertificateVerify handshake message");
+            }
+
            T10CertificateVerifyMessage cvm =
                    new T10CertificateVerifyMessage(shc, message);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@ -767,6 +789,17 @@ final class CertificateVerify {
                ByteBuffer message) throws IOException {
            // The consuming happens in server side only.
            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Clean up this consumer
+            shc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_VERIFY.id);
+
+            // Ensure that the CV message follows the CKE
+            if (shc.handshakeConsumers.containsKey(
+                    SSLHandshake.CLIENT_KEY_EXCHANGE.id)) {
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unexpected CertificateVerify handshake message");
+            }
+
            T12CertificateVerifyMessage cvm =
                    new T12CertificateVerifyMessage(shc, message);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@ -1120,6 +1153,10 @@ final class CertificateVerify {
                ByteBuffer message) throws IOException {
            // The producing happens in handshake context only.
            HandshakeContext hc = (HandshakeContext)context;
+
+            // Clean up this consumer
+            hc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_VERIFY.id);
+
            T13CertificateVerifyMessage cvm =
                    new T13CertificateVerifyMessage(hc, message);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {