Skip to content

Cookie of c2c handshake is set late.  #135

New issue
New issue
Open
Open
Cookie of c2c handshake is set late. #135
Labels
bugsecurity
@rustonaut

Description

@rustonaut
rustonaut
opened on Sep 14, 2021

The line(s) below sets the cookie of the c2c peer when receiving the auth message.

For initiator:

saltyrtc-client-java/src/main/java/org/saltyrtc/client/signaling/InitiatorSignaling.java

Line 503 in d01e553

responder.getCookiePair().setTheirs(nonce.getCookie());

For responder:

saltyrtc-client-java/src/main/java/org/saltyrtc/client/signaling/ResponderSignaling.java

Line 310 in d01e553

this.initiator.getCookiePair().setTheirs(nonce.getCookie());

But as far as I understand the cookie should be set when first receiving a message from a client (independent of weather it's from/as the Server, Responder or Initiator). But before receiving the auth the Initiator/Responder do receive a Key and potential Token message, so I think the cookie should be set when receiving Token (or Key if no Token message is send/expected).

Details

Spec

In case this is the first message received from the sender, the peer:
[...]

  • MUST store cookie, overflow number and sequence number (or the combined sequence number) for checks on further messages.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugsecurity

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions