Code Review Request, JDK-8167680, DTLS implementation bugs

Xuelei Fan xuelei.fan at oracle.com
Fri Oct 21 03:31:50 UTC 2016 

Updated webrev per Jamil's comments:

    http://cr.openjdk.java.net/~xuelei/8167680/webrev.01/

Xuelei

On 10/13/2016 10:36 PM, Xuelei Fan wrote:
> Hi,
>
> Please review the fix for JDK-8167680:
>    http://cr.openjdk.java.net/~xuelei/8167680/webrev.00/
>
> There are a few implementation bugs in JDK.
>
> 1. The sequence number is increased by 2 for GCM cipher suites.
> Both GCM crypto operation and DTLS record use the sequence number.  The
> current implementation may increase the sequence number for each of the
> two operations.  It is not the expected behavior.
>
> 2. The implementation does not response to handshake retransmissions.
> In the current implementation, receiving of retransmitted handshake
> messages does not kick off a retransmission of the previous delivered
> flight.  Retransmission happens on timeout.  Timeout is expensive.
> Supporting response to peer retransmitted handshake messages would speed
> up the handshaking.
>
> 3. the final CCC and finished message cannot be retransmitted.
> It is an implementation bug.  Every handshake message should be able to
> get retransmitted.
>
> 4. the first application data may be discarded if the last flight get lost.
> Applications may send application data immediately after the handshake
> completed.  However, the peer may have not receive the handshake
> complete message, and therefor discard the application data.  As may
> impact application logic.
>
> For example
>
>     Client                 Server
>                ....
>        -- ClientKeyExchange -->
>        -- ChangeCipherSpec  -->
>        -- Finished          -->
>
>
>        X <-- ChangeCipherSpec --
>        X <-- Finished         --
>
>        <-- Application Data  --
>
>        -----    ...        --->
>        -- ClientKeyExchange -->
>        -- ChangeCipherSpec  -->
>        -- Finished          -->
>
>        <-- ChangeCipherSpec --
>        <-- Finished         --
>
>
> 1. (omit the previous handshake messages) server sends ChangeCipherSpec
> and Finished messages.
> 2. server handshake complete
> 3. server send application
> 4. client does not receive the ChangeCipherSpec or Finished messages.
> 5. client receives the application data.  Client cannot handle the
> encrypted message, and may discard it.  Client re-transmit the previous
> flight.
> 6. server retransmit the last flight.
> 7. client receives the last flight.
>
> In this update, the last flight will be transmit twice.  As may mitigate
> the impact of the issue.
>
> 5. resuming handshaking need no cookie exchange.
> It is an implementation bug.  Cookie exchange is performed for
> handshaking resuming now.  It is not the expected behavior.
>
> 6. need more debug log for DTLS handshake message fragmentation and
> reassembly.
>
>
> Thanks,
> Xuelei

More information about the security-dev mailing list