RFR 8044860: Vectors and fixed length fields should be verified for allowed sizes

Jamil Nimeh jamil.j.nimeh at oracle.com
Fri Jan 23 06:17:19 UTC 2015


I did check some of the other TLS RFCs, particularly 6066, 6961, 4492, 
5288 and a few others.  There are so many that I'm not 100% certain I 
caught them all, but not all apply to JSSE either.  In all the RFCs I 
looked at, those vectors had upper bounds that matched the maximum value 
for its length field.

--Jamil


On 01/22/2015 09:57 PM, Bradford Wetmore wrote:
> Jamil,
>
> MAX_LENGTH probably could have been private, but not a big deal.
>
> Nice that it was only SessionID.  I did a spot check on the TLS 
> Extensions and TLS1.0-1.2, do you check on other related TLS RFCs?
>
> Brad
>
>
>
> On 1/22/2015 6:27 PM, Xuelei Fan wrote:
>> Looks fine to me.  Thanks!
>>
>> Xuelei
>>
>> On 1/23/2015 10:24 AM, Jamil Nimeh wrote:
>>> Hi Xuelei, et al.:
>>>
>>> Updated webrev:
>>> http://cr.openjdk.java.net/~jnimeh/reviews/8044860/webrev.02
>>>
>>> Thanks,
>>> --Jamil
>>>
>>> On 01/22/2015 04:26 PM, Xuelei Fan wrote:
>>>> I may use SSLProtocolException if the size of session ID is bigger 
>>>> than
>>>> 32.  Otherwise, looks fine to me.
>>>>
>>>> Xuelei
>>>>
>>>> On 1/23/2015 2:35 AM, Jamil Nimeh wrote:
>>>>> Hi all,
>>>>>
>>>>> This review is to provide length checks on the session ID for SSL/TLS
>>>>> connections.  It appears to be the only vector/array that needs
>>>>> additional length-checks to make sure it's not exceeding 32 bytes.
>>>>>
>>>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8044860
>>>>> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8044860/webrev.01
>>>>>
>>>>> Thanks,
>>>>> --Jamil
>>>
>>



More information about the security-dev mailing list