Integrated: 8360539: DTLS handshakes fails due to improper cookie validation logic
Artur Barashev
abarashev at openjdk.org
Fri Jun 27 14:18:44 UTC 2025
On Thu, 26 Jun 2025 21:36:34 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
> DESCRIPTION OF THE PROBLEM:
> There appears to be a bug in the isCookieValid method of HelloCookieManager that can lead to improper cookie validation results after a new cookieSecret is generated. The cookie version (cookieVersion) is initialized with a random number and increments with each cookie, regenerating the secret every 0xFFFFFF cookies.
>
> When cookieVersion is negative, the expression ((cookieVersion >> 24) & 0xFF) results in an integer that does not match the signed byte value in cookie[0], causing the else clause to be executed incorrectly. This leads to the use of legacySecret even for valid cookies.
This pull request has now been integrated.
Changeset: a471fe99
Author: Artur Barashev <abarashev at openjdk.org>
URL: https://git.openjdk.org/jdk/commit/a471fe992fc0d71ba65b5fdbcc44b97a2783b90a
Stats: 2 lines in 1 file changed: 0 ins; 0 del; 2 mod
8360539: DTLS handshakes fails due to improper cookie validation logic
Reviewed-by: ascarpino, hchao
-------------
PR: https://git.openjdk.org/jdk/pull/26006
More information about the security-dev
mailing list