Code Review Request: TLS 1.3 Implementation

Anthony Scarpino anthony.scarpino at oracle.com
Sun Jun 3 18:02:21 UTC 2018 

Xuelei,

 From looking at your code change at 151 and 219  when a single 
KeyUpdate handshake is sent, it appears you are changing all 4 keys, 
both send and receive from the client and send and receive from the server.

It was my interpretation of the spec that only the send and receive keys 
were for one side were updated.  After many rereading of 4.6.3 I finally 
see where you think all 4 keys are updated.

spec:
   If the request_update field is set to “update_requested” then the
   receiver MUST send a KeyUpdate of its own with request_update set to
   “update_not_requested” prior to sending its next application data

I can see where you believe "send a KeyUpdate of its own" means update 
the send and receive keys from the opposite direction.  Where I 
interpreted this as an ACK by the receiver to updating the receiving key.

I believe your interpretation is probably right and the spec could be 
worded better.

The other changes are fine.

Tony

On 06/02/2018 09:26 PM, Xuelei Fan wrote:
>  > KeyUpdate.java
>  > --------------
> Update: http://hg.openjdk.java.net/jdk/sandbox/rev/66c803c3ce32
> 
> Fixed two test issues and the following KeyUpdate implementation.  This 
> update will be included in the next webrev for further review.
> 
> Xuelei
> 
> On 6/1/2018 12:56 PM, Xuelei Fan wrote:
>>  > http://cr.openjdk.java.net/~xuelei/8196584/webrev-full.00
>>
>> MaxFragExtension.java
>> ---------------------
>> Looks fine to me.
>>
>>
>> KeyUpdate.java
>> --------------
>> - 74  new IOException("KeyUpdate message value invalid: " + status);
>> + 74  throw new IOException("KeyUpdate message value invalid: " + 
>> status);
>> Or
>> + 74  context.conContext.fatal(...);
>> The exception is not thrown.  Personally, I may prefer a 
>> RuntimeException as it is used in generation side, or send a fatal 
>> alert to indicate the problem.
>>
>>
>>    81  if (m.remaining() != 1) {
>>    82    throw new IOException("KeyUpdate has an unexpected length of "+
>>    83        m.remaining());
>>    84  }
>> Personally, I'd prefer to send a fatal alert.
>>
>>
>>    87  if (status > 1) {
>>    88     new IOException("KeyUpdate message value invalid: " + status);
>>    89  }
>> The exception is not thrown.  I may use a fatal alert.
>>
>>
>>   108  @Override
>>   109  public String toString() {
>>   110      throw new UnsupportedOperationException("Not supported yet.");
>>   111  }
>> For debugging, please implement this method and dump debug information 
>> in the consumer and producer accordingly.
>>
>>
>>   145  public void consume(ConnectionContext context,
>>   146          ByteBuffer message) throws IOException {
>>
>> I think we need to catch up with the following spec in this method:
>>     Implementations that receive a KeyUpdate message prior to receiving
>>     a Finished message MUST terminate the connection with an
>>     unexpected_message" alert.
>>
>>
>>   151  if (km.getStatus() == KeyUpdateMessage.NOTREQUSTED) {
>>   152      return;
>>   153  }
>>
>> If I'm correct, the "update_not_requested" status means "recipient of 
>> the KeyUpdate" may not respond with its own KeyUpdate", but still need 
>> to update its receiving keys.  Am I missing something?
>>
>>
>>   165 SSLKeyDerivation skd = kdg.createKeyDerivation(hc,
>>   166        hc.conContext.inputRecord.readCipher.baseSecret);
>>   167 SecretKey nplus1 = skd.deriveKey("TlsUpdateNplus1", null);
>>   168 if (skd == null) {
>>   169      // unlikely
>>   170       hc.conContext.fatal(Alert.INTERNAL_ERROR,
>>   171             "no key derivation");
>>   172       return;
>>   173 }
>> Move line 167 bellow 173? he skd non-null checking can be performed  
>> 198       new KeyUpdateMessage(hc, 
>> KeyUpdateMessage.NOTREQUSTED));earlier.
>>
>>
>> The blank line 191 may be not necessary.
>>
>>
>>   196  // Send Reply
>>   197  handshakeProducer.produce(hc,
>>   198      new KeyUpdateMessage(hc, KeyUpdateMessage.NOTREQUSTED));
>> If one update the 151-153 block, please don't forgot to update this 
>> block as well if needed: send reply if the status is REQUSTED.
>>
>>
>>   219  if (km.getStatus() == KeyUpdateMessage.REQUSTED) {
>>   220      secret = hc.conContext.outputRecord.writeCipher.baseSecret;
>>   221  } else {
>>   222      km.write(hc.handshakeOutput);
>>   223      hc.handshakeOutput.flush();
>>   224      return null;
>>   225  }
>> Similar comment as 151-153.  For NOTREQUSTED status, may still need to 
>> update the write keys.
>>
>>
>> Xuelei
>>
>> On 5/25/2018 4:45 PM, Xuelei Fan wrote:
>>> Hi,
>>>
>>> I'd like to invite you to review the TLS 1.3 implementation.  I 
>>> appreciate it if I could have compatibility and specification 
>>> feedback before May 31, 2018, and implementation feedback before June 
>>> 7, 2018.
>>>
>>> Here is the webrev:
>>>      http://cr.openjdk.java.net/~xuelei/8196584/webrev-full.00
>>>
>>> The formal TLS 1.3 specification is not finalized yet, although it 
>>> had been approved to be a standard.  The implementation is based on 
>>> the draft version 28:
>>>      https://tools.ietf.org/html/draft-ietf-tls-tls13-28
>>>
>>> For the overall description of this enhancement, please refer to JEP 
>>> 332:
>>>      http://openjdk.java.net/jeps/332
>>>
>>> For the compatibility and specification update, please refer to CSR 
>>> 8202625:
>>>      https://bugs.openjdk.java.net/browse/JDK-8202625
>>>
>>> Note that we are using the sandbox for the development right now.  
>>> For more information, please refer to Bradford's previous email:
>>>
>>> http://mail.openjdk.java.net/pipermail/security-dev/2018-May/017139.html
>>>
>>> Thanks & Regards,
>>> Xuelei

More information about the security-dev mailing list