Code Review Request for 7030966, Support AEAD CipherSuites (JSSE part of JEP 115)

Xuelei Fan xuelei.fan at oracle.com
Fri Jan 18 17:09:09 UTC 2013 

webrev: http://cr.openjdk.java.net./~xuelei/7030966/webrev.02/

No significant changes in the new webrev.

<removed some comments that is clear to me>

> I will be doing a putback of the JCE providers, so I can do your SunJCE
> signed provider putback for you.  Let's coordinate when you are ready.
> I will probably be ready early next week.
> 
Good!

> Minor nits:
> ===========
> What is the indentation style you are using?  I noticed a few places
> where it's not 4/8 spaces, and it's not lining up with anything on the
> previous line.  For example CipherSuite.java:522:544.
> 
I usually use 4 spaces for new lines. But if the next line is a
continuation of the previous line, I did not follow the 8 spaces strictly.

> Also, in several of your new methods, you are writing pseudo-javadoc
> style (@return/etc), but you're not starting the comment with "/**".
> This probably doesn't matter since we don't generate javadoc for
> internal classes.  Just mentioning since you took the time to format
> it and hoping it would render.
> 
I just want to use the tag in order to make the comments clear and easy
understood.

> CipherBox.java
> ==============
> 312/564:  I don't remember why we decided to use the RuntimeException
> AIOOBE here.  Ugh...anyway, can you also use exception chaining to help
> debug any reported problems?
> 
We don't have chaining constructor for ArrayIndexOutOfBoundsException class.

> 
> CipherSuite.java
> ================
> 510:  I don't think this statement is true anymore.  This is likley a
> carryover from the 1.4 days when we used to have a crypto provider in
> the JSSE jar file.  Not for this review, but maybe we should actually
> check that implementations are available?  If we remove SunEC and
> SunPKCS11 providers from the provider list, could we potentially
> disable the EC suites?
> 
Good catch.

EC algorithm will be checked in KeyExchange, rather than BulkCipher.  If
EC algorithm is not available, EC cipher suites will be disabled.

I worry about the RC4 cipher. The AES/CBC/128 is the minimal
requirements of a crypto provider, so I don't worry about AES/CBC/128.
However, RC4 is not in the minimal requirements of a crypto provider, so
we should check the availability of RC4 here.

I will file a new for this issue.

> 522:  Why are you also checking for CipherType.AEAD_CIPHER?
> 
AEAD/GCM is not implemented in all providers, for example the SunPKCS11
provider.  So we need to check the available of AEAD implementation.

> 
> 970:  "before" -> "while"
> 
It looks strange to me with two whiles:

    // ...,  we decrease the
    // priority of cipher suites in GCM mode for a while while GCM
    // technologies become mature in the industry.

I think "before" may be better word here.

> 1054: From http://www.rfc-editor.org/rfc/rfc6460.txt
> 
>    A Suite B TLS client configured at a minimum level of security of 128
>    bits MUST offer the TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 or the
>    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suite in the
>    ClientHello message.  The TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
>    cipher suite is preferred; if offered, it MUST appear before the
>    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suite.
> 
> I would have thought what you have is the correct order, but it
> doesn't follow the RFC. Please add a note to remind us, because this
> order will not make sense in 6 months.  ;)
> 
You are right. The current default cipher suites preference is not
Suite-B/RFC6460 compliant.  We need additional work to configure the
cipher suites in order to comply with RFC 6460.  We may want to add a
new feature in the future.

> EngineInputRecord.java
> ======================
> 191:  Your comment is a little confusing here.  Does this mean it does
> this internally?
> 
Need to remove this line. Removed.

> EngineOutputRecord.java
> =======================
> 294/296:  Another great comment.  I might suggest reversing the
> comments so that the comment about AEAD is in the AEAD arm, and CBC is
> outside.
> 
I'm not sure I catch your ideas. ;-) Would you please show me the code?

> 306:  The original code was bad (double debug != null :) ), and I
> realize the original code was lacking in parens "()", but can you
> please add parens to indicate exactly what expression order you intend
> here.  My head is spinning from parsing the various cases: I'm not sure
> the logic here is correct.  I think we should output if debug is on
> and either handshake/record is active or we're outputing a CCS.  That
> is:
> 
>     if ((debug ! null) &&
>         ((Debug.isOn("record") || (Debug.isOn("handshake") ||
>         (contentType() == ct_change_cipher_spec))))) {
> 
> Is my thinking incorrect?
> 
In the old code, there is no dump for "handshake" level log unless it is
a change_cipher_spec message.  However, the log is dumped for "record"
level log.   I think it was right because the log here is record
information, but not handshake message.

I think the update does not changes the behavior.

> 
> Handshaker.java
> ===============
> This is a comment for ClientHandshaker/Handshaker.  I just want to
> confirm some restrictions from Section 4 of RFC 5288:
> 
> 1.  If a remote client offers <= TLS 1.1 and a GCM suite, we won't
> possibly select a GCM suite.  I'm pretty sure this is ok, just wanted
> to check.
> 
Yes.

> 2.  If a remote server selects a GCM ciphersuite and a version other
> than TLS 1.2, our client will send an alert_illegal_parameter.   I
> think this is done at ClientHandshaker:461 calling into
> Handshaker:isNegotiable(), but the comments in getActiveCipherSuites()
> only talk about the initial request, not the CipherSuite we actually
> get back from the server.  Can you please double check this?
> 
Good catch.  We did not check the cipher suite and protocol version
together.  Need to address this in a new bug so that we can backport the
update.

> InputRecord.java
> ================
> 198:  Didn't follow this comment "before the exception occurs"?  Before
> the MAC occurs?  Or in the case of an exception in signer.compute.
> 
Need more comments here:

count -= macLen;  // Set the count before any MAC checking
                  // exception occurs, so that the following
                  // process can read the actual decrypted
                  // content (minus the MAC) in the fragment
                  // if necessary.

> 
> Record.java
> ===========
> 55:  Never noticed this before.  Is maxIVLength really 256, or were you
> just being overly cautious?  All of our current block ciphers (e.g.
> AES-CBC) max out at 16 bytes, and there's only 8 bytes for TLS GCM mode
> nonce-explicit?  For each OutputRecord, I think you're reserving an
> extra 245 bytes here that will never be used.  (5 + 256 - 16)  If
> you're nervous about future suites bumping the size, you could add a
> simple check during CipherSuite.java initialization.
> 
Good point.  Need to address this in a new bug so that we can backport
the update.

Thanks,
Xuelei

More information about the security-dev mailing list