8367059: DTLS: loss of NewSessionTicket message results in handshake failure

Reviewed-by: jnimeh, djelinski

Author: artur-oracle

src/java.base/share/classes/sun/security/ssl/DTLSInputRecord.java

@@ -170,7 +170,7 @@ Plaintext[] decode(ByteBuffer packet) throws SSLProtocolException {
 
         // Buffer next epoch message if necessary.
         if (this.readEpoch < recordEpoch) {
-            // Discard the record younger than the current epcoh if:
+            // Discard the record younger than the current epoch if:
             // 1. it is not a handshake message, or
             // 3. it is not of next epoch.
             if ((contentType != ContentType.HANDSHAKE.id &&
@@ -1445,7 +1445,7 @@ boolean flightIsReady() {
                 //
                 if (expectCCSFlight) {
                     // Have the ChangeCipherSpec/Finished flight been received?
-                    boolean isReady = hasFinishedMessage(bufferedFragments);
+                    boolean isReady = hasFinishedMessage();
                     if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
                         SSLLogger.fine(
                             "Has the final flight been received? " + isReady);
@@ -1492,7 +1492,7 @@ boolean flightIsReady() {
                 //
                 // an abbreviated handshake
                 //
-                if (hasFinishedMessage(bufferedFragments)) {
+                if (hasFinishedMessage()) {
                     if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
                         SSLLogger.fine("It's an abbreviated handshake.");
                     }
@@ -1565,7 +1565,7 @@ boolean flightIsReady() {
                     }
                 }
 
-                if (!hasFinishedMessage(bufferedFragments)) {
+                if (!hasFinishedMessage()) {
                     // not yet have the ChangeCipherSpec/Finished messages
                     if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
                         SSLLogger.fine(
@@ -1601,35 +1601,33 @@ boolean flightIsReady() {
             return false;
         }
 
-        // Looking for the ChangeCipherSpec and Finished messages.
+        // Looking for the ChangeCipherSpec, Finished and
+        // NewSessionTicket messages.
         //
         // As the cached Finished message should be a ciphertext, we don't
         // exactly know a ciphertext is a Finished message or not.  According
         // to the spec of TLS/DTLS handshaking, a Finished message is always
         // sent immediately after a ChangeCipherSpec message.  The first
         // ciphertext handshake message should be the expected Finished message.
-        private boolean hasFinishedMessage(Set<RecordFragment> fragments) {
-
+        private boolean hasFinishedMessage() {
             boolean hasCCS = false;
             boolean hasFin = false;
-            for (RecordFragment fragment : fragments) {
+
+            for (RecordFragment fragment : bufferedFragments) {
                 if (fragment.contentType == ContentType.CHANGE_CIPHER_SPEC.id) {
-                    if (hasFin) {
-                        return true;
-                    }
                     hasCCS = true;
-                } else if (fragment.contentType == ContentType.HANDSHAKE.id) {
-                    // Finished is the first expected message of a new epoch.
-                    if (fragment.isCiphertext) {
-                        if (hasCCS) {
-                            return true;
-                        }
-                        hasFin = true;
-                    }
+                } else if (fragment.contentType == ContentType.HANDSHAKE.id
+                        && fragment.isCiphertext) {
+                    hasFin = true;
                 }
             }
 
-            return false;
+            // NewSessionTicket message presence in the Finished flight
+            // should only be expected on the client side, and only
+            // if stateless resumption is enabled.
+            return hasCCS && hasFin && (!tc.sslConfig.isClientMode
+                    || !tc.handshakeContext.statelessResumption
+                    || hasCompleted(SSLHandshake.NEW_SESSION_TICKET.id));
         }
 
         // Is client CertificateVerify a mandatory message?
@@ -1674,7 +1672,7 @@ private boolean hasCompleted(
                 int presentMsgSeq, int endMsgSeq) {
 
             // The caller should have checked the completion of the first
-            // present handshake message.  Need not to check it again.
+            // present handshake message.  Need not check it again.
             for (RecordFragment rFrag : fragments) {
                 if ((rFrag.contentType != ContentType.HANDSHAKE.id) ||
                         rFrag.isCiphertext) {

src/java.base/share/classes/sun/security/ssl/SSLExtension.java

@@ -286,7 +286,7 @@ enum SSLExtension implements SSLStringizer {
             ProtocolVersion.PROTOCOLS_10_12,
             SessionTicketExtension.shNetworkProducer,
             SessionTicketExtension.shOnLoadConsumer,
-            null,
+            SessionTicketExtension.shOnLoadAbsence,
             null,
             null,
             SessionTicketExtension.steStringizer),

src/java.base/share/classes/sun/security/ssl/SessionTicketExtension.java

@@ -72,6 +72,8 @@ final class SessionTicketExtension {
             new T12SHSessionTicketProducer();
     static final ExtensionConsumer shOnLoadConsumer =
             new T12SHSessionTicketConsumer();
+    static final HandshakeAbsence shOnLoadAbsence =
+            new T12SHSessionTicketOnLoadAbsence();
 
     static final SSLStringizer steStringizer = new SessionTicketStringizer();
     // No need to compress a ticket if it can fit in a single packet.
@@ -529,4 +531,27 @@ public void consume(ConnectionContext context,
             chc.statelessResumption = true;
         }
     }
+
+    /**
+     * The absence processing if a "session_ticket" extension is
+     * not present in the ServerHello handshake message.
+     */
+    private static final class T12SHSessionTicketOnLoadAbsence
+            implements HandshakeAbsence {
+
+        @Override
+        public void absent(ConnectionContext context,
+                HandshakeMessage message) {
+            ClientHandshakeContext chc = (ClientHandshakeContext) context;
+
+            // Disable stateless resumption if server doesn't send the extension.
+            if (chc.statelessResumption) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.info(
+                            "Server doesn't support stateless resumption");
+                }
+                chc.statelessResumption = false;
+            }
+        }
+    }
 }

test/jdk/javax/net/ssl/DTLS/DTLSNoNewSessionTicket.java

@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8367059
+ * @summary DTLS: loss of NewSessionTicket message results in handshake failure
+ * @modules java.base/sun.security.util
+ * @library /test/lib
+ * @build DTLSOverDatagram
+ *
+ * @comment Make sure client doesn't expect NewSessionTicket in the final
+ * flight if server doesn't send the "session_ticket" extension with
+ * ServerHello handshake message.
+ *
+ * @run main/othervm -Djdk.tls.client.enableSessionTicketExtension=false
+ *                   DTLSNoNewSessionTicket
+ * @run main/othervm -Djdk.tls.server.enableSessionTicketExtension=false
+ *                   DTLSNoNewSessionTicket
+ */
+
+public class DTLSNoNewSessionTicket extends DTLSOverDatagram {
+    public static void main(String[] args) throws Exception {
+        var testCase = new DTLSNoNewSessionTicket();
+        testCase.runTest(testCase);
+    }
+}

test/jdk/javax/net/ssl/DTLS/DTLSOverDatagram.java

@@ -21,9 +21,6 @@
  * questions.
  */
 
-// SunJSSE does not support dynamic system properties, no way to re-use
-// system properties in samevm/agentvm mode.
-
 /*
  * @test
  * @bug 8043758
@@ -132,8 +129,15 @@ void doClientSide(DatagramSocket socket, InetSocketAddress serverSocketAddr)
      * The remainder is support stuff for DTLS operations.
      */
     SSLEngine createSSLEngine(boolean isClient) throws Exception {
-        SSLContext context = getDTLSContext();
-        SSLEngine engine = context.createSSLEngine();
+        SSLContext context =
+                isClient ? getClientDTLSContext() : getServerDTLSContext();
+
+        // Note: client and server ports are not to be used for network
+        // communication, but only to be set in client and server SSL engines.
+        // We must use the same context, host and port for initial and resuming
+        // sessions when testing session resumption (abbreviated handshake).
+        SSLEngine engine = context.createSSLEngine("localhost",
+                isClient ? 51111 : 52222);
 
         SSLParameters paras = engine.getSSLParameters();
         paras.setMaximumPacketSize(MAXIMUM_PACKET_SIZE);
@@ -507,7 +511,7 @@ boolean onReceiveTimeout(SSLEngine engine, SocketAddress socketAddr,
     }
 
     // get DTSL context
-    SSLContext getDTLSContext() throws Exception {
+    static SSLContext getDTLSContext() throws Exception {
         String passphrase = "passphrase";
         return SSLContextBuilder.builder()
                 .trustStore(KeyStoreUtils.loadKeyStore(TRUST_FILENAME, passphrase))
@@ -517,6 +521,14 @@ SSLContext getDTLSContext() throws Exception {
                 .build();
     }
 
+    protected SSLContext getServerDTLSContext() throws Exception {
+        return getDTLSContext();
+    }
+
+    protected SSLContext getClientDTLSContext() throws Exception {
+        return getDTLSContext();
+    }
+
 
     /*
      * =============================================================