RFR: 8360539: DTLS handshakes fails due to improper cookie validation logic
Artur Barashev
abarashev at openjdk.org
Thu Jun 26 21:43:54 UTC 2025
DESCRIPTION OF THE PROBLEM:
There appears to be a bug in the isCookieValid method of HelloCookieManager that can lead to improper cookie validation results after a new cookieSecret is generated. The cookie version (cookieVersion) is initialized with a random number and increments with each cookie, regenerating the secret every 0xFFFFFF cookies.
When cookieVersion is negative, the expression ((cookieVersion >> 24) & 0xFF) results in an integer that does not match the signed byte value in cookie[0], causing the else clause to be executed incorrectly. This leads to the use of legacySecret even for valid cookies.
-------------
Commit messages:
- 8360539: DTLS handshakes fails due to improper cookie validation logic
Changes: https://git.openjdk.org/jdk/pull/26006/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=26006&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8360539
Stats: 2 lines in 1 file changed: 0 ins; 0 del; 2 mod
Patch: https://git.openjdk.org/jdk/pull/26006.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/26006/head:pull/26006
PR: https://git.openjdk.org/jdk/pull/26006
More information about the security-dev
mailing list