src/java.base/share/classes/sun/security/ssl/ServerHandshaker.java
Print this page
8167680 DTLS implementation bugs
@@ -556,77 +556,10 @@
} else {
applicationProtocol = "";
}
- // cookie exchange
- if (isDTLS) {
- HelloCookieManager hcMgr = sslContext.getHelloCookieManager();
- if ((mesg.cookie == null) || (mesg.cookie.length == 0) ||
- (!hcMgr.isValid(mesg))) {
-
- //
- // Perform cookie exchange for DTLS handshaking if no cookie
- // or the cookie is invalid in the ClientHello message.
- //
- HelloVerifyRequest m0 = new HelloVerifyRequest(hcMgr, mesg);
-
- if (debug != null && Debug.isOn("handshake")) {
- m0.print(System.out);
- }
-
- m0.write(output);
- handshakeState.update(m0, resumingSession);
- output.flush();
-
- return;
- }
- }
-
- /*
- * FIRST, construct the ServerHello using the options and priorities
- * from the ClientHello. Update the (pending) cipher spec as we do
- * so, and save the client's version to protect against rollback
- * attacks.
- *
- * There are a bunch of minor tasks here, and one major one: deciding
- * if the short or the full handshake sequence will be used.
- */
- ServerHello m1 = new ServerHello();
-
- clientRequestedVersion = mesg.protocolVersion;
-
- // select a proper protocol version.
- ProtocolVersion selectedVersion =
- selectProtocolVersion(clientRequestedVersion);
- if (selectedVersion == null ||
- selectedVersion.v == ProtocolVersion.SSL20Hello.v) {
- fatalSE(Alerts.alert_handshake_failure,
- "Client requested protocol " + clientRequestedVersion +
- " not enabled or not supported");
- }
-
- handshakeHash.protocolDetermined(selectedVersion);
- setVersion(selectedVersion);
-
- m1.protocolVersion = protocolVersion;
-
- //
- // random ... save client and server values for later use
- // in computing the master secret (from pre-master secret)
- // and thence the other crypto keys.
- //
- // NOTE: this use of three inputs to generating _each_ set
- // of ciphers slows things down, but it does increase the
- // security since each connection in the session can hold
- // its own authenticated (and strong) keys. One could make
- // creation of a session a rare thing...
- //
- clnt_random = mesg.clnt_random;
- svr_random = new RandomCookie(sslContext.getSecureRandom());
- m1.svr_random = svr_random;
-
session = null; // forget about the current session
//
// Here we go down either of two paths: (a) the fast one, where
// the client's asked to rejoin an existing session, and the server
// permits this; (b) the other one, where a new session is created.
@@ -730,11 +663,78 @@
}
}
}
} // else client did not try to resume
+ // cookie exchange
+ if (isDTLS && !resumingSession) {
+ HelloCookieManager hcMgr = sslContext.getHelloCookieManager();
+ if ((mesg.cookie == null) || (mesg.cookie.length == 0) ||
+ (!hcMgr.isValid(mesg))) {
+
//
+ // Perform cookie exchange for DTLS handshaking if no cookie
+ // or the cookie is invalid in the ClientHello message.
+ //
+ HelloVerifyRequest m0 = new HelloVerifyRequest(hcMgr, mesg);
+
+ if (debug != null && Debug.isOn("handshake")) {
+ m0.print(System.out);
+ }
+
+ m0.write(output);
+ handshakeState.update(m0, resumingSession);
+ output.flush();
+
+ return;
+ }
+ }
+
+ /*
+ * FIRST, construct the ServerHello using the options and priorities
+ * from the ClientHello. Update the (pending) cipher spec as we do
+ * so, and save the client's version to protect against rollback
+ * attacks.
+ *
+ * There are a bunch of minor tasks here, and one major one: deciding
+ * if the short or the full handshake sequence will be used.
+ */
+ ServerHello m1 = new ServerHello();
+
+ clientRequestedVersion = mesg.protocolVersion;
+
+ // select a proper protocol version.
+ ProtocolVersion selectedVersion =
+ selectProtocolVersion(clientRequestedVersion);
+ if (selectedVersion == null ||
+ selectedVersion.v == ProtocolVersion.SSL20Hello.v) {
+ fatalSE(Alerts.alert_handshake_failure,
+ "Client requested protocol " + clientRequestedVersion +
+ " not enabled or not supported");
+ }
+
+ handshakeHash.protocolDetermined(selectedVersion);
+ setVersion(selectedVersion);
+
+ m1.protocolVersion = protocolVersion;
+
+ //
+ // random ... save client and server values for later use
+ // in computing the master secret (from pre-master secret)
+ // and thence the other crypto keys.
+ //
+ // NOTE: this use of three inputs to generating _each_ set
+ // of ciphers slows things down, but it does increase the
+ // security since each connection in the session can hold
+ // its own authenticated (and strong) keys. One could make
+ // creation of a session a rare thing...
+ //
+ clnt_random = mesg.clnt_random;
+ svr_random = new RandomCookie(sslContext.getSecureRandom());
+ m1.svr_random = svr_random;
+
+ //
// If client hasn't specified a session we can resume, start a
// new one and choose its cipher suite and compression options.
// Unless new session creation is disabled for this connection!
//
if (session == null) {