Code Review Request: CR 6976118, version number tolerance in the PreMasterSecret

Weijun Wang weijun.wang at oracle.com
Thu Dec 30 06:06:16 PST 2010



On 12/30/2010 06:07 PM, Xuelei Fan wrote:
> On 12/30/2010 9:39 AM, Weijun Wang wrote:
>> Hi Xuelei
>>
>> Are you sure these 3 files all need to be changed? Hopefully you can
>> change as few as possible.
>>
> Yes, we need to change all 3 files. As we discussed before, we'd better
> to check the version number attack in all 3 files, see the comments
> around line 1090 of Handshaker.java:

If you're sure that if any one of these 3 files is not updated, and IE 
has a problem accessing JSSE server, I'm OK with the webrev.

Still, I somehow wish only one change will do, say, when 
ClientKeyExchange message is received, you secretly modify something 
inside. Of course, if this makes HandshakeHash computing error or any 
other inconvenience/confusing, don't do it.

Thanks
Max


>
>    // we have checked the ClientKeyExchange message when reading TLS
>    // record, the following check is necessary to ensure that
>    // JCE provider does not ignore the checking, or the previous
>    // checking process bypassed the premaster secret version checking.
>
>
>> Also, the message name is not "PreMasterSecret message". I know it
>> should be "ClientKeyExchange" for RSAClientKeyExchange.java.
>>
> OK, I change the word to "... version number of PreMasterSecret in a
> ClientKeyExchange".
>
>> and, "tolerate" is the verb, "tolerant" is an adjective.
>>
> Good.
>
> webrev updated: http://cr.openjdk.java.net/~xuelei/6976118/webrev.01/
>
> Thanks,
> Xuelei
>
>> Thanks
>> Max
>>
>>
>> On 12/27/2010 05:46 PM, Xuelei Fan wrote:
>>> Hi Weijun,
>>>
>>> A simple fix for version number tolerance.
>>>
>>> webrev: http://cr.openjdk.java.net/~xuelei/6976118/webrev.00/
>>>
>>> Thanks,
>>> Xuelei
>



More information about the security-dev mailing list