Code Review Request: CR 6976118, version number tolerance in the PreMasterSecret

Xuelei Fan xuelei.fan at oracle.com
Thu Dec 30 02:07:23 PST 2010


On 12/30/2010 9:39 AM, Weijun Wang wrote:
> Hi Xuelei
> 
> Are you sure these 3 files all need to be changed? Hopefully you can
> change as few as possible.
> 
Yes, we need to change all 3 files. As we discussed before, we'd better
to check the version number attack in all 3 files, see the comments
around line 1090 of Handshaker.java:

  // we have checked the ClientKeyExchange message when reading TLS
  // record, the following check is necessary to ensure that
  // JCE provider does not ignore the checking, or the previous
  // checking process bypassed the premaster secret version checking.


> Also, the message name is not "PreMasterSecret message". I know it
> should be "ClientKeyExchange" for RSAClientKeyExchange.java.
> 
OK, I change the word to "... version number of PreMasterSecret in a
ClientKeyExchange".

> and, "tolerate" is the verb, "tolerant" is an adjective.
> 
Good.

webrev updated: http://cr.openjdk.java.net/~xuelei/6976118/webrev.01/

Thanks,
Xuelei

> Thanks
> Max
> 
> 
> On 12/27/2010 05:46 PM, Xuelei Fan wrote:
>> Hi Weijun,
>>
>> A simple fix for version number tolerance.
>>
>> webrev: http://cr.openjdk.java.net/~xuelei/6976118/webrev.00/
>>
>> Thanks,
>> Xuelei




More information about the security-dev mailing list