Code Review Request: TLS 1.3 Implementation
Xuelei Fan
xuelei.fan at oracle.com
Thu Jun 7 00:19:00 UTC 2018
On 6/6/2018 1:11 PM, Anthony Scarpino wrote:
> I can make the below changes if they are accepted.
>
Please take care of the update, except the fragmentSize for
InputRecord.java.
> Tony
> ------
>
> InputRecord.java
> - Optimize Imports
> - fragmentSize appears not to be used. It is constructed,
> it can be set by changeFragmentSize. MaxFragExtension even calls these
> methods, but no where can I find that uses the fragmentSize. It appears
> the fragment sizes are either calculated in the SSLCipher or the
> negotiatedMaxFragLen is used in the handshakeSession.
>
I need more time for this point.
> 65: getHelloVersion() is unused
>
> - For the below, I would assume integer overflow isn't an issue since
> these are all internal APIs and the worse we would see is an Out of
> Bounds exception
>
> 337: for (int i = offset, j = 0;
> 338: i < (offset + length) && j < headerSize; i++) {
>
> 359: for (int i = offset; i < offset + length; i++) {
>
> 373: for (int i = offset; i < offset + length; i++) {
>
Yes. These integers have been checked before calling into this method.
>
>
> DTLSInputRecord.java
> - Optimize Imports
> 102 } else if (srcsLength == 1) {
> 103 return decode(srcs[srcsOffset]);
>
> shouldn't it be decode(srcs[0]); otherwise it could be out of bounds.
>
The 'srcsLength' refer to the length from the offset. I think
srcsOffset should be used as the index.
>
>
> SSLEngineInputRecord.java
> - Optimize Imports
> 41: prevType never used
> 347: srcLimit never used
>
> 42 & 43: hsMsgOff and hsMsgLim are set to 0 and never change, later
> they are used in a check with themselves:
> 232: if ( ... && hsMsgOff != hsMsgLen) {
>
I missed the cleanup. hsMsgOff and hsMsgLen are not used any more.
"hsMsgOff != hsMsgLen" may be replaced with something like
handshakeBuffer.hasRemaining() or similar.
>
>
> SSLSocketInputRecord.java
> - Optimize Imports
> 47: prevType never used
> 48 & 49: nsMsgOff and hsMsgLim are set to 0 and never change, later
> they are used in a check with themselves:
> 266: if ( ... && hsMsgOff != hsMsgLen) {
>
As above.
Thanks,
Xuelei
More information about the security-dev
mailing list