Code review request 8026119 Regression test DHEKeySizing.java failing intermittently
Weijun Wang
weijun.wang at oracle.com
Mon Oct 14 03:45:19 UTC 2013
On 10/14/13 11:19 AM, Xuelei Fan wrote:
> CC security-dev.
>
> On 10/14/2013 11:04 AM, Xuelei Fan wrote:
>> Normally, there are only leading zero of DH keys.
> Oops, typo here:
> ... there are only one leading zero of DH keys.
>
> Xuelei
>
>> By the fix, I suppose
>> it should rally happen for 3 bytes leading zeros. The worst cases,
>> dh_p, dh_g and dh_Ys each has 3 leading zeros (9 bytes in total) in a
>> handshaking message.
I guess they are independent? So the probably of all 3 having 3 leading
zeroes is still (256^3)^3.
>>
>> It's both OK to me to use 2 (6 in totla) and 3 (9 in total) leading zeros.
>>
Any is OK, since the expected differences are big enough. Your code
change is fine.
Thanks
Max
>> Xuelei
>>
>> On 10/14/2013 10:57 AM, Weijun Wang wrote:
>>> Isn't 9 too big here? If I understand correctly, the probability of the
>>> bias being up to 9 is (1/256)^9. If this happens, you should really
>>> suspect the quality of your RNG.
>>>
>>> Thanks
>>> Max
>>>
>>> On 10/14/13 10:42 AM, Xuelei Fan wrote:
>>>> Hi Max,
>>>>
>>>> Please review this simple fix of a regression test intermittent failure.
>>>>
>>>> webrev: http://cr.openjdk.java.net/~xuelei/8026119/webrev.00/
>>>>
>>>> The cause of the issue is that during TLS handshaking, if the negotiated
>>>> DH key starts with zero bytes, the leading zero bytes are stripped in
>>>> the communication. As result in that we cannot estimate the DH key size
>>>> in handshaking messages exactly. This fix is an effort to minimum the
>>>> impact the leading zeros by a length bias. If the message size is
>>>> between [dh_key_size - bias, dh_key_size], the message is OK in this
>>>> test.
>>>>
>>>> Thanks,
>>>> Xuelei
>>>>
>>
>
More information about the security-dev
mailing list