TLS: Defer sealHashAlgorithms to after ClientHello retry

peterdettman · peterdettman · commit 609723396bf3 · 2025-12-01T23:53:44.000+07:00
diff --git a/tls/src/main/java/org/bouncycastle/tls/TlsClientProtocol.java b/tls/src/main/java/org/bouncycastle/tls/TlsClientProtocol.java
@@ -484,22 +484,34 @@ protected void handleHandshakeMessage(short type, HandshakeMessageInput buf)
                 {
                     process13HelloRetryRequest(serverHello);
                     handshakeHash.notifyPRFDetermined();
-                    handshakeHash.sealHashAlgorithms();
+
                     TlsUtils.adjustTranscriptForRetry(handshakeHash);
+
                     buf.updateHash(handshakeHash);
                     this.connection_state = CS_SERVER_HELLO_RETRY_REQUEST;
 
                     send13ClientHelloRetry();
                     this.connection_state = CS_CLIENT_HELLO_RETRY;
+
+                    /*
+                     * PSK binders (if any) when retrying ClientHello currently require handshakeHash buffering
+                     */
+                    handshakeHash.sealHashAlgorithms();
                 }
                 else
                 {
                     processServerHello(serverHello);
                     handshakeHash.notifyPRFDetermined();
+
                     if (TlsUtils.isTLSv13(securityParameters.getNegotiatedVersion()))
                     {
                         handshakeHash.sealHashAlgorithms();
                     }
+                    else
+                    {
+                        // For pre-1.3 wait until ServerHelloDone is received
+                    }
+
                     buf.updateHash(handshakeHash);
                     this.connection_state = CS_SERVER_HELLO;
 
